Globally, the retail industry is among the top three industries to be targeted by cyber criminals. Due to the sheer number of merchants accepting payment cards, the relatively low level of security and the many attack vectors available, the number of breaches is large and continuously growing. The increasing use of mobile devices combined with the introduction of Near Field Communication (NFC) wireless technology and applications such as augmented reality only serve to exacerbate the problem.
Some of the most highly reported examples of cyber theft in the retail sector come from the US and include TJX, Subway and Barnes & Noble. The breaching of these merchants’ in-store wireless networks, point-of-sale (POS) systems and credit card readers resulted in tens of millions of credit cards being compromised and the loss of personally identifiable information, in addition to financial losses for those merchants. These large-scale incidents of cyber theft highlight the need for retailers to better secure their operations.
Modern retail security
Traditionally, retailers have been securing their stores by using either store-based routers with basic security functionality, or an overlay point security solution plugged into the store network, or a private WAN to bring all traffic back to the data centre for inspection. Each of these methods have their drawbacks, either for lack of functionality, inability to scale or excessive costs.
Instead, retailers should take a closer look at each of the four primary building blocks of a secured distributed environment, and take steps to address the particular issues faced by their organization at each of these levels.
1. Access: A s stores extend access to employees and consumers using mobile devices, ensuring secure access is critical. Secure access control through rogue access point detection, authentication, guest Wi-Fi services, rate limiting and load balancing is important.
2. Store: The individual store level requires security and connectivity for a wide variety of functions including Wi-Fi, voice and traditional network connectivity. With the addition of consumer connectivity, each store must also be able to provide security functions, such as anti-malware and application control.
3. Aggregation: This level is the destination for all data. Typically this is the retail headquarters. Core security functions such as firewall, application control and VPN termination take place here.
4. Management: Given the widely distributed nature of modern retail establishments, the ability to centrally manage and quickly modify the various security appliances guarding the organisation is essential. Having a security platform across the enterprise will allow this to be done effectively.
As part of this more in-depth security strategy, retailers should closely consider their options for implementing a network security solution that is both comprehensive and cost-effective. In order to address today痴 complex in-store security, the requirements of a strong IT security solution should include :
High performance to improve customer experience: With the growing number of endpoints and applications as well as higher data volumes, each in-store network must provide high performance for continuous credit card processing and POS connectivity to maximise the customer experience and interaction. High performance and low latency traffic flow is especially important during peak transaction periods.
In-depth defence for the in-store wireless LAN: In-store reps are increasingly being provided with wireless tablets to increase interactivity with customers, while some retailers are looking to differentiate services with wireless kiosks, flexible wireless digital signage and customer access through their own devices. The security solution must thus be able to provide the same levels of security to the wireless and wired parts of the network.
Migration to lower-cost public networks: The adoption of low-cost superfast broadband connectivity to stores and/or the use of a secure VPN over the public networks provide lower-cost operational alternatives to private WAN networks. However, leveraging public networks for store connectivity can expose retailers to additional security threats, so it is important that such connections are secure and that the encrypted traffic does not succumb to performance degradation when passing through the security devices.
Adoption of innovative in-store services: The use of advanced technologies make the retail environment more vulnerable to threats. Support of cutting edge customer applications such as the augmented reality applications used as customers move through the store and/or in-store Wi-Fi access to multi-channel retailing and loyalty schemes will become commonplace in the next five years. Security systems will have to scale to hundreds if not thousands of endpoints without incurring significant costs.
PCI-DSS compliance support: With in-store networks carrying credit card transactions, PCI compliance requirements must be satisfied. Security monitoring and rogue detection are explicit requirements in the PCI standard, so it is imperative that retailers are able to analyse user and device behaviour on the in-store network and respond to any threat. Event logging, analysis and reporting capabilities are essential to enable firms to demonstrate compliance with PCI-DSS and other regulations.
In order to remain competitive in today’s changing world, retailers will need to find innovative solutions to create value, fiercely reduce operating costs and mitigate risks throughout the business. For retailers with many geographically dispersed shops, secure network connectivity linking all sites to head office is critical to business operating processes. When the network is breached, IT services can become unavailable and data can be lost with serious consequences to the business.
Retailers therefore need to define a security strategy that addresses the key pillars of their distributed environment and ensure that their security infrastructure is not only robust,
but scalable, easy to manage and cost-effective. Only then can the organisation support multi-channel operations and innovative services such as customer access which will enhance user experience and drive the business – without increasing deployment costs or staff burdens.
Rajesh Maurya is Country Manager, India & SAARC, Fortinet