In part two of a two-part series, we speak to Gerard Dunphy, ISA Cybersecurity’s Offering Leader – Detection, Response & Recovery, to share his insights on retail cybersecurity. Gerard is one of Canada’s foremost experts on managing cyber incidents and has been involved in the recovery efforts after some of the country’s highest-profile cyber attacks. In part one, Gerard identified some of the key risks, vulnerabilities, and challenges faced by retailers every day. Here in part two, we explore the tactics and strategies retailers can employ to defend themselves against the threats of today and tomorrow.
Q: What are the most critical assets and systems that retail organizations need to protect against cyber threats?
Gerard: Retail organizations need to identify and protect their sensitive data. At the end of the day, it’s data that the bad guys are after, specifically data that is considered sensitive or otherwise valuable. This can include customer financial data such as payment card information which can be leveraged for financial fraud, and personally identifiable information such a person’s name and contact information which, when combined with other information about them such as their address, gender, age, education, social insurance number, driver’s license number, and so on, can be exploited for identity theft. Retailers should assess the systems and applications that capture, transmit and/or host their sensitive data. This could include servers, databases, applications like Customer Relationship Management (CRM) and inventory systems, payment systems, and IoT (Internet of Things) devices like point-of-sale systems. Consider the big picture here.
Data should be encrypted in transit and at rest using strong encryption. Encryption keys should also be stored in a separate location isolated from the data they protect and access to these keys should be tightly restricted. And a message to retailers: if you don’t really need the data, get rid of it. Cyber criminals can’t steal what you don’t have, so limiting the amount of information you collect is smart business.
Q: That’s a lot to wrap your head around. How can retailers prioritize their efforts?
Gerard: The best approach is by conducting a cybersecurity risk assessment. This will help identify which assets are most vulnerable to the cyber threats facing the organization, which in turn will help determine the appropriate steps needed to reduce the risk against them. A risk assessment typically starts with identifying all the assets of the organization and prioritizing their importance – including the identification of assets considered to be an organization’s “crown jewels”. It then looks at the known cyber-related threats facing the organization, particularly the tactics, techniques and procedures used by cybercriminals to attack and cause harm to the organization. Common scenarios are then considered and risks are analyzed to determine the likelihood of those risk scenarios actually occurring and the potential impact to the business. A risk matrix is then used to assess the likelihood and impact to determine the level of risk tolerance of the organization. The risks are then determined and prioritized against the probability of the potential scenario.
Q: What are some of the most common security controls that organizations should consider to strengthen their security posture and their ability to respond to and recover from a cybersecurity incident?
Gerard: Retailers will have different requirements based on their technology stack, compliance obligations, security maturity and the results of their risk assessment. But it’s safe to say that any retailer should have the following controls and defenses in place:
- Monitor your environment to detect and respond to threats
- Employ endpoint protection across all endpoints
- Harden operating systems and applications
- Maintain patch levels on all systems and applications
- Employ strong identity and access management and leverage least privileged access
- Use network segmentation and segregation for greater access control and limited attack surface
- Use a strong password policy with a minimum of 14-16 characters
- Use a password manager or vault to manage secure-centric passwords
- Use multi-factor authentication (MFA)
- Use a VPN to secure and privatize your internet connection, especially in public spaces
- Encrypt data in transit and at rest
- Use a secure file sharing solution to share sensitive data
- Use email authentication technology and Sender Policy Framework (SPF) on email systems
- Backup your critical data (crown jewels, critical systems, critical data), store backups offline, and test them regularly
- Have an effective and tested Incident Response Plan that includes a solid business continuity plan and incident recovery strategy
- Have an effective cybersecurity awareness program for all employees and conduct phishing tests regularly
Q: What emerging technologies or trends are you seeing that are going to pose risk for Canadian retailers in 2024 and beyond?
Gerard: Obviously AI is the first area to mention. It’s on everyone’s mind. From a risk perspective, cyber criminals are using AI in a variety of ways, including creating realistic phishing emails and creating fraudulent websites which can deceive visitors into revealing sensitive information. Cyber criminals are also using AI to adapt their tactics to bypass security controls, intrusion detection systems, and behavior analysis tools to evade detection. These threat actors are also attacking AI systems directly, targeting the data used to train those machine learning models. But defenders are also leveraging AI to improve their defenses as well. In this case, AI is being used to automate responses to threats such as blocking malicious traffic or email, isolating devices, and reducing human error for greater accuracy and reduction of false positives. So, it’s not all bad news.
Certainly, the expanding use of cloud is another important trend for retailers, in terms of efficiency and scalability. But inadequately or improperly secured cloud services create risk. Moving from on-premises systems to cloud-based services is not a matter of “lift and shift”. As retailers adopt cloud services for data storage, e-commerce platforms, and other operations, it’s critical to ensure that security is built into the design and architected with appropriate access, configuration, compliance, and security controls to protect those environments.
Finally, I’d highlight supply chain risk. As retailers are seeking greater efficiencies and reductions in operating costs, supply chains are becoming more and more important – and complex. The dependencies on partners have never been greater, and the connectivity between these players is growing all the time. Cyber criminals recognize this and are increasingly targeting third-party vendors and suppliers in retail supply chains as a way to infiltrate the primary target organization’s network. Thoughtful risk assessment and incident response handling is critical to protect yourself against these kinds of threats.
Q: Any last words of advice?
Gerard: One of the most overused adages in cybersecurity is “It’s not if, but when”. It gets said so often that I think people may not be hearing the real message: that cyber attacks are happening all day, every day and it’s only a matter of time before you are attacked. Plan for the “when”, not for the “if”. You are a target today – the unfortunate reality is that we all are. Good security hygiene such as strong passwords, MFA, system patching, security awareness training, and good offline backups will greatly prepare you for an incident and even help you avoid one as many cyber criminals will typically move on to lower hanging fruit.
Take cybersecurity seriously and get help where you need it. Don’t risk becoming the next headline. The cost of good cybersecurity is far less than the cost of a breach.
ISA Cybersecurity is one of Canada’s leading cybersecurity-focused companies. We specialize in cyber services and solutions for the retail sector. We work with some of the country’s largest retail organizations to safeguard their customers’ security and privacy and help them adopt a cost-effective proactive approach to cybersecurity. Let’s talk about how we can help your business today!