The role of cybersecurity in helping retail open post-COVID-19

September 10, 2020

Retail businesses have arguably been one of the industries hardest hit by the current COVID-19 pandemic, with layoffs across the industry and multiple large retailers declaring bankruptcy in the past few months.

The pandemic has redefined what it means to be a resilient business, especially when it comes to retail. “Essential” businesses that have remained open, such as supermarkets or pharmacies, have had to figure out how to operate safely in this new world. Meanwhile, many retailers around the world have had to close their doors, are trying to understand the changes needed to re-open physical stores, and in many cases build an online presence.

No matter the type of retailer, the importance of cybersecurity hasn’t gone away. If anything, it becomes more important as a cyber disruption could be the fatal final straw for a business looking for a smooth return to operations and maintain its brand image and reputation.

One challenge that retail organizations face is that their environments are flooded with internet-connected devices. While this is not unique to the retail sector, the benefits of sensors and connected devices to enhance the in-store experience has led to a much higher ratio of devices to people in this sector. A typical retail environment has a device to people ratio of 5:1, meaning that for every 100 employees there are approximately 500 devices that need to be secured and managed.

While these devices, such as self-scanners or point of sale (POS) systems, can enhance the customer experience, they can also create serious challenges for the IT and security teams. Not only does the sheer volume of Internet of Things (IoT) and operational technology (OT) devices vastly increase the attack surface for an organization, but many of these devices also rely on vulnerable underlying software and hardware components that can also increase risk and be particularly difficult to fix.

What steps should retailers take to ensure that cybersecurity doesn’t get left behind in the opening process? When it comes to securing connected devices in retail environments, the foundational place to start is to increase device visibility. This gives an organization certainty around how many devices are on the network, where they are, and an understanding of their overall security posture.

From that foundation, an organization can more confidently implement a cybersecurity strategy to reduce risk from those devices. For instance, an organization can consider tools like network segmentation, which allows security teams to have greater control over what parts of the network devices have access to. Network segmentation is particularly applicable to retail environments, as IoT devices like POS systems typically run embedded operating systems, which can make patch management a manual process. Patching also requires change control windows and, if not done correctly, can cause unplanned system downtime.

More significantly perhaps, network segmentation can also prevent the lateral movement of an attack across the network. In practice, this could mean preventing hackers accessing sensitive corporate or customer information or limiting the scope of a ransomware attack. Both of these events could be catastrophic for a retailer in the midst of returning from a pandemic, when customer safety - both physical and digitally - is more important than ever.

Another consideration is to look at retail cybersecurity as a team sport. Historically, the retail industry tends to be less forthcoming when it comes to sharing cybersecurity learnings, largely due to the competitive nature of the business. However, lack of collaboration across peers can lead to slower progress across the industry overall. Boden, a large U.K. fashion retailer, shared some of their key learnings which might help others navigate this tricky landscape.

Retailers undoubtedly face an uphill battle when it comes to assimilating to their “new normal” post-pandemic. While the future remains uncertain for many around the world, by combining a more holistic view to device management and security with industry collaboration, retailers can at least limit one risk factor of many that will be affecting their businesses during this difficult time.

AJ Dunham is Principal Systems Engineer at Forescout Technologies.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Organizations rely on application innovation, particularly API-driven applications, to fuel their business transformation and growth. Attackers know this and are constantly looking for ways to find the unfindable and break the unbreakable. They’ve got tools, motivation, and time on their side.

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

The role of cybersecurity in helping retail open post-COVID-19

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

The role of cybersecurity in helping retail open post-COVID-19

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.