Hello, and welcome to the Retail CISC blog! We thought we’d start with an inaugural post on how retail security is different from (and often harder than) security for your standard enterprise. Is there such a thing as a standard enterprise? Probably not from the CISO’s point of view, but many vendors and regulatory bodies seem to think one exists.
Let us count the ways:
- Dispersed Attack Surface: The geographically dispersed, light footprint nature of retail environments makes them a unique challenge to protect. This is different from say, an airplane manufacturer protecting the IP of its next airplane design on a hardened server in a datacenter somewhere. There’s also a multiplier effect of retail sites on the cost of securing the enterprise — that is, the number of retail sites, times the number of end points, times the cost of licenses / hardware to secure. This creates a barrier some enterprises may have (retail banks, auto dealers), but many other enterprises do not. And notoriously tight margins make it difficult to justify the necessary cost base.
- Physical security: Retailers have to focus more on physical security since so much of the infrastructure is within reach of the public (think gas pumps, POS systems, kiosks, and so on).
- Unique Data Types: Most retailers’ biggest concern is a credit card number breach. This is a unique data type that that someone else defines, and sets rules on how it can be used.
- The Human Factor: Humans are always a big part of the security equation. Retail, relative to other industries, can have a lot of turnover and varied training experiences; this creates opportunities for human error to occur (as well as fraud and other types of insider threat).
- Security vs. Transaction Speed: Transaction time is a key metric for all retailers, and security controls (like two-factor authentication) can slow that transaction time down. Creating highly usable, highly secure solutions is always hard, but there are unique pressures in retail, since competition is heavy and when customers leave one brand, they may not come back for years.
- PCI data makes working with third parties particularly difficult: There have to be full audit trails of everything accessed — a requirement that many other enterprises don’t or can’t support. Retailers should not allow staffers to touch credit card data if they have ever had a felony credit card charge in their background; what is often overlooked is the revalidation of their background check on an annual basis. Just because they didn’t have any credit card fraud in their background when they were originally hired, doesn’t mean that they don’t have it now. Another factor to consider is the manner in which third parties manage the retail environment. Many want to back-haul the data to their networks and manage it from there; retailers may require that it all be managed on their own network (where they have the appropriate safeguards and monitoring in place).
- The customers are also the adversaries: Retailers have to manage the risk of fraud from their legitimate customers, not just from their accounts when compromised by intruders.
Many of these problems are not unique to retail, but the combination can create particular constraints when trying to solve them. For in-depth discussions on these and other retail security topics, please join us at one of our local CISO Roundtable discussions, or email membership@RH-ISAC.org.
A big thank you to C. Josh Doll, Ed Harris, Jason Knudtson, Jamie Wallace, and others on the Retail ISAC list for helping to compile this listicle.