Back to the Basics: A Necessary Grind for Online Retailers

If we’ve learned anything from recent security breaches faced by several unfortunate retailers, it’s that often the attacks result from a breakdown in routine cyber hygiene.

This realization has catapulted basic cyber hygiene to the top of the Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) priority list. Basic IT infrastructure and security protocols – understanding where your most valuable assets reside, deprovisioning legacy assets, configuring your system with key security settings, and making sure the environment is properly patched and updated – must be upheld to successfully protect your business from the vast pool of cyber criminals and threats. Unfortunately, these seemingly simple practices are tedious and difficult to maintain, often overlooked by the latest, greatest security solution that promises to keep your business safe.

And history teaches us that hackers do not require sophisticated tools to achieve their malicious goals. They can easily exploit a basic vulnerability within the system (for example, a software exploit that hasn’t been properly patched) to gain access to your network and then move laterally to extract sensitive business and customer data. Similarly, they can leverage credential theft from an employee or third party to gain access. Credential theft, because it’s easier and less risky than an existing vulnerability or zero-day exploit, is one of the most common attack vectors used against online retailers. According to Verizon’s 2016 Data Breach Incident Report (DBIR), nearly two-thirds of breaches leveraged stolen credentials. Retailers need to be diligent when monitoring their logs to identify potentially malicious behavior, such as automated malware, resulting from credential theft.

Failing to maintain basic security hygiene can harm not only your customers, but also your long-term revenue, success, reputation and integrity of your business. Not helping matters for the CISO and CIO when it comes to keeping basic cyber hygiene practices are emerging concerns around security for the Internet of Things (IoT), the ever-increasing third-party access to retailer sites and the significant amounts of critical customer data being stored on a retailer’s network – to name a few.

What can online retailers and other organizations do to help maintain basic cyber hygiene and mitigate risk? Outlined below is a list of best practices to help ensure your retail business’ valuable data stays protected:

1.  Create a mandate for basic cyber hygiene in your business’ environment. Support this effort with ongoing education for employees and partners. When it comes to cybersecurity, ignorance is not bliss.

2.  Develop a basic threat profile. It’s important to understand that not all companies are created equal in terms of their security profile and posture. Developing and understanding your basic threat profile allows a clear understanding of where your most valuable assets reside, and what measures you can and should take to protect those assets specifically.

3.  Establish a formal process to secure emerging technologies. New, innovative technologies, such as digital and “omni-channel” marketing, create new revenue opportunities for online retailers. But these technologies also pose new security risks, and must be considered under the same security microscope as the rest of your business functions. Having a formal process in place will make for smoother, justifiable adoption and more secure technology implementation.

The traditional approach has been to rely on compliance measures as a way to mitigate risk and maintain an overall secure posture. However, compliance has not been an effective model for a very long time. While businesses must check the compliance box, it cannot be defined as a security gold standard and more often than not offer a false sense of security that put businesses at greater risk.

Getting back to the basics of cyber hygiene is where the real day-to-day security grind should focus. If retailers and others would emphasize and uphold solid, basic blocking and tackling security measures, they would be far less susceptible to cyberattacks across the different high-profile areas of concern. In the end, online retailers and other businesses must work to achieve a basic security foundation and only then seek to deploy more novel security precautions.  This approach, although not glamorous, will allow companies to review cybersecurity with a strategic mindset and will provide a solid foundation for preventing successful breaches and protecting the firm’s valuable data.