Last year there were so many security breaches, ranging from the U.S. Department of Justice to Yahoo, that it was difficult to keep track of them all. And this year — with WannaCry, Petya, the CCleaner breach, Wikileaks CIA Vault 7, Cloudbleed and the Equifax breach, just to name a few — it’s clear that attacks are not going to let up anytime soon. Retailers are particularly high up on cybercriminals’ hit lists because of the sensitive payment data they handle.
The challenge for ISVs is implementing strong security solutions and practices without compromising productivity. Here are 6 simple things that your retail customers can do to begin gaining an edge against today’s cyberthreats:
1. Educate employees about security best practices. More than half (52%, according to CompTIA’s research) of all data breaches are caused by human errors, such as clicking on unsolicited email links or attachments and using weak passwords. In fact, several studies revealed that at least 80% of passwords can be cracked within 45 minutes. These kinds of security errors are the kind of low hanging fruit cybercriminals look for. Minimize these problems by educating users about security best practices, such as not opening unfamiliar emails and links. Also, ensure that strong passwords are used (e.g., changing default passwords and using a combination of letters, numbers and symbols) and regularly updated on computers, terminals and networking equipment.
2. Avoid consumer-grade networking equipment. It can be tempting for small retailers to purchase inexpensive, consumer-grade wireless routers to bring wireless connectivity to the store. The problem, however, is that consumer routers aren’t designed for the demands of business, which leads to poor performance, and more importantly, they don’t have the robust security of an enterprise-grade router (e.g. Meraki, Ubiquiti, Ruckus). Also, make sure that your networking equipment allows you to separate the store’s operations network from the customer (i.e., guest Wi-Fi) network. You want to prevent a website or a guest’s computer from hacking into your operations.
3. Watch for outdated enterprise equipment too. Companies may think their 10+ year-old networking devices are doing the job for which they were intended, but the reality is decade-old network devices are less likely to have the protections necessary to withstand today’s cyberattacks. One feature newer networking hardware includes is image signing, which helps ensure that BIOS, firmware, and other software updates are authentic. As the system boots, this signature is checked by an anchor of trust, ensuring the integrity of the system’s software. This is an important feature for preventing man-in-the-middle replacements of software and firmware, plus it provides layered protections against the persistence of illicitly modified firmware. Outdated payment terminals are another vulnerability source. Not only are these devices out of compliance with the latest EMV standards, some of them are also susceptible to card skimming, which occurs during the millisecond delay between the time the mag stripe is read and when it is encrypted. Newer equipment limits this possibility.
4. Restrict administrator and employee privileges. When setting up computers or POS terminals, it can be tempting to take a few shortcuts to save time, such as creating multiple accounts with admin privileges. With this level of access, users can install rogue, uncontrolled software that could contain malware. In addition, POS and operations equipment should not be used for employees’ personal web browsing and email needs, which increase the chances of infecting the terminal with malware. By restricting users’ access privileges — and especially Internet access – it will make it more difficult for a hacker to get to the retailer’s network via the POS terminal.
5. Update your software regularly. On the growing list of things competing for your time, it’s easy to put off software updates. But, if there’s one lesson we can all learn from major incidents such as the WannaCry ransomware attack that took down more than 200,000 computer systems across more than 150 countries earlier this year, it’s this: keep your software patches current. Ironically, two months before the attack, Microsoft released a patch that would have made the computers immune to the WannaCry attack. Software companies are typically very vigilant about addressing the vulnerabilities that are reported against their systems, and they have entire teams set up to ensure that they patch the issues as quickly as possible. It’s important that you are continually communicating with your system providers to stay current with those changes.
6. Don’t be an EMV laggard. The October 1, 2015 EMV deadline, which had been anticipated for years by EMVCo (a consortium comprising many of the major credit card networks) has come and gone. Yet, only about 53% of U.S. merchants are expected to be EMV-ready and fully compliant this year, according to The Strawhecker Group. Considering the fact that credit card fraud is an estimated $8.5 billion-per-year problem in the U.S. alone, ISVs and retailers can’t afford to put off EMV readiness any longer. It can be tedious to ensure the POS system, payment terminal, and payment processing network have all been tested according to the EMV Migration Forum’s guidelines. But ISVs don’t have to shoulder this burden alone. Many of the payment processors offer certification assistance, including self-certification testing with the major credit card networks. Additionally, some payment processors offer additional security layers such as tokenization and end-to-end encryption to card payments, which ensures credit card data is encrypted at the point of transaction and not decrypted until it reaches the payment processor.
Protecting your customers from cybercriminals is a challenge that isn’t going away anytime soon. Cyberattacks are on the rise and the stakes are higher than ever for your retail customers — and not just the growing compliance requirements they have to satisfy — but the potential harm to their reputation should they be added to the ranks of breached companies and make headlines for all the wrong reasons.