The 2016 holiday season is in full swing.
Retailers are already swamped with processing purchases, restocking returned merchandise, and shipping out thousands of packages in hopes of getting them onto doorsteps before Christmas.
It can be easy for a retailer to let thoughts of network security threats slip to the wayside during all of this commotion.
But unfortunately, hackers don’t attack at times that are convenient. If anything, now is hunting season.
And businesses are still responsible for keeping customer and employee information secure – even in the craze of the season.
Retailers can’t afford to ignore such network security threats. After all, 60% of small businesses that are breached are out of businesses within 6 months of the attack.
Staying privy to the top network security threats targeting the industry and preparing for them in advance can save a company the headache and hefty fines associated with suffering a breach.
One particular network security threat that has recently exploded in popularity is malware.
Malware continues to grow and has begun to explore harder-to-prevent methods of attack.
One of the ways attackers are using malware to get this information from retailers is by infecting PoS, or Point of Sale, devices.
Recent examples of this involved compromising a PoS provider’s servers and installing malware to steal the passwords of their retailer customers. The passwords provided remote access to the retailers’ PoS devices, upon which the attackers installed more malware to steal credit card data.
So far, companies are advised to change their login information for similar PoS portals.
Another way hackers are targeting businesses is by sending phishing emails with attachments that look harmless, but in reality, are malware.
Attackers in this case usually pretend to be someone they’re not, such as a customer or another merchandiser, which makes it harder to tell that the email is an attack.
Employees should never open unsolicited attachments, especially if they are from an unfamiliar sender.
Checking the email address of the sender can help determine if the sender is legit or not.
Implementing an email filter can also help diminish the amount of malicious mail employees may receive.
Ransomware is a specific type of malware that has been an increasingly prevalent network security threat for retailers.
Hackers use ransomware to break into a company’s network and encrypt crucial company data for ransom.
The company must then pay the hacker in order to get the decryption key, thus regaining access to the locked files.
Sometimes the decryption key doesn’t work, leaving the company out of money and out of data.
Consistently backing up important company files and checking that they are being backed up properly can help mitigate the effects of a ransomware attack. We provide many more tips in this post on ransomware.
Regularly updating programs when the latest software comes out is another way to minimize vulnerabilities.
Such updates can have security patches in them and are vital to making the use of these programs secure.
The weakness of a retailer’s PoS systems and how they are configured can make them a security liability.
Old operating systems, use of default credentials, and leaving the devices un-segmented from the rest of the network can pose problems.
Keeping your PoS systems un-segmented from the rest of your network can easily give hackers a direct path to customer and employee information.
Should a hacker gain access to your network, they would also have direct access to your PoS systems, which store credit card information in their memory for a specific amount of time.
Segmenting the PoS devices from the rest of your company’s network is the ideal way to prevent this kind of attack.
Running old operating systems on your PoS systems is also a big no-no.
Due to the limited/non-existent updates and support provided for outdated operating systems such as Windows XP, old and new vulnerabilities found in such systems will NOT receive any type of update or patch to fix them.
A hacker who knows these vulnerabilities can effortlessly compromise systems that are running these operating systems.
Systems set up with a default password will need to have the passwords changed immediately in order to avoid a breach.
Information on default username and password combinations are regularly circulated around the web, so breaking into systems that use these passwords isn’t a challenge for a hacker.
Employees are the #1 cause of data breaches, according to a 2015 survey done by the Wall Street Journal.
Untrained employees who are unaware of the network security threats associated with their actions aren’t going help keep company networks safe.
Such employees also may not be able to identify various attacks and network security threats, so keeping them up to date on the latest threats targeting an industry is a good way to prevent a breach.
Training new employees when hired is one way to ensure they know the policies and procedures from the get go, and it affords the employer a better opportunity to sit down with the employee and discuss these policies one on one.
Another way to check for deficiencies in current employee knowledge is to either regularly test employees on what they know, or fake an attack in order to see how employees respond to one in real life.
Holding regular meetings to discuss such activities, events, and threats is key to consistently exposing employees to the real dangers of cyber attacks.
PCI DSS Compliance
All businesses who accept credit/debit cards as payment are required by their banks to follow PCI DSS, or Payment Card Industry Data Security Standard.
The PCI Security Compliance Council released PCI DSS v 3.2 to the public in May. This means there are new and changed standards by which retailers must comply this holiday season.
Should a retailer fall victim to a breach, but not be compliant with these standards, they could face fines big enough to put them out of business.
Checking out the resources the PCI Security Compliance Council has available online is a great starting point for businesses who need a crash course in PCI DSS.
Consistency with network security policies and procedures is crucial during the onslaught of business happening across the nation during the holiday season.