Our holiday guidance blog series for retail and hospitality continues. For more blogs in this series, visit https://rhisac.org/blog/
Being this time of the year, our sector needs to be vigilant. There’s a chill in the air, decorations hung in every window, children’s eyes sparkle with wonder and expectation… and hackers lurk around every corner.
The holiday season is hunting season for hackers and malicious actors, looking to exploit the increase in traffic (virtual and physical) through retail stores for their own gain. There’s no way to completely insulate yourself from the threat of hackers and scammers, but there are some basic best practices you can follow to minimize the chances that you or your customers suffer damages.
- Get on the train
Your employees can be your company’s biggest asset–and its biggest weakness. Employees don’t need to be malicious to harm your bottom line: an employee with the best intentions can still cause problems if they aren’t aware of best practices or basic protections. Comprehensive training on security hygiene is a requirement in today’s retail environment. And if possible, take that a step further, run simulations and tests: social engineering exercises, phishing simulations, and other ways to ensure your team knows how to respond to various threats.
- Go by the books
Response playbooks can be worth their weight in gold when the worst-case scenario becomes reality. Taking the time to create step-by-step procedures for the biggest threats you face (ransomware, digital skimmers, etc.) means that your team will know what to do if they have to respond to an actual threat. Exercise those playbooks on a regular basis, and update as necessary in response to staff, network, and infrastructure changes. Response playbooks are the epitome of “better to have and not need than need and not have.”
- Communication is key
If you don’t do this regularly already, it’s worth it to spend some time ensuring that the lines of communication between your various security teams are open. Make sure your SOC, your threat intel teams, your vulnerability management team, and your IT teams have established lanes and lines of communication between them. This can be a critical part of the previous item: part of exercising your runbooks is to ensure your teams are familiar with each others’ roles and how to communicate together. This may seem like an obvious and simple step, but its importance can’t be overstated. When a breach occurs, it can cause chaos–you want your people putting their time into solving the problem, not figuring out who to call or how to reach them.
- Keep your head in the clouds
Modern businesses live in the cloud more and more. Whether it’s a public cloud like Azure, AWS, or Google, or a private cloud your company sets up and manages itself, cloud-based network infrastructure enables faster and more efficient storage and communication. But it also brings new risks and vulnerabilities. Take the time to review your cloud security policy (and if you don’t have a cloud security policy: create one). Check and double-check your cloud server configurations–you don’t want to accidentally leave critical data exposed because someone accidentally set an AWS bucket to public access. And make sure your password policy is strict and enforced.
- It can be overwhelming…
DDoS attacks can cripple a retail business. If your customers can’t get to your website, they’ll get to someone else’s. Review your DDoS mitigation plan regularly, and if you don’t have one–create one. Anticipate your points of failure, review your server infrastructure, and check with your ISP to understand their capabilities and limitations. With an up-to-date DDoS mitigation plan in place, test it: run tabletop simulations to make sure the key players know their roles, so that if the real thing hits, you’re as ready as you can be.
- Don’t be low-hanging fruit
Device management is a critical aspect of any cybersecurity program, and this time of year–with increased attacks and threats, it’s even more so. Every year, countless stories emerge of large organizations crippled by massive attacks that could have been prevented by a simple update or patch. Most cybercrime is opportunistic: they aren’t looking to attack a particular target, they’re simply looking for low-hanging fruit. Failing to patch or update systems with known vulnerabilities makes you that low-hanging fruit. Maintain a comprehensive asset list and check it regularly, and make sure every device connected to your network is always up-to-date and running the latest firmware and software patches.
- Anti-antisocial behavior
Everybody wants their social media account to bring in views and customers… but nobody wants their social media account to make the news because it got hacked and started spewing offensive content. Harden the security of your social media accounts, and make sure access is limited only to those employees who should have access, and make sure you have a plan in place to deal with a breach. And as an ongoing strategy, have a plan in place to collect and action potentially critical mentions of your organization, whether in response to a hack or not.
- Share and share alike
One of the most powerful weapons in the fight against cybercrime is information, and the best information for your organization is often provided by others who’ve had to deal with the same problems. Joining an information sharing and analysis center (ISAC) for your industry is an incredibly powerful way to make sure you stay current on the latest trends in your industry. To those already part of an ISAC, share as much as possible about a threat you are seeing. Sharing and collaboration is the best way to keep up with the malicious actors who are trying to compromise your networks. Learn what threats are being faced by others in your space, and how they’re dealing with them. Don’t recreate the wheel if you don’t have to.
RH-ISAC will be sharing tips throughout the holiday season in a holiday guidance blog series. Below are holiday guidance blogs already posted. Visit the RH-ISAC blog for more industry relevant blogs.
Holiday Guidance Blog Series: