Retailers, defend your business with our IT Security Checklist

Posted by piksel on Jan 16, 2020 7:53:12 AM

Did you know that, without sufficient cybersecurity, your retail business could face fines of up to €20 million?

Not only that, but your reputation could also suffer irreparable damage.

Indeed, in the event of a retail security breach, 19 percent of consumers say they would stop shopping at the affected business. With a further 33 percent saying they would take an extended break from the retailer.

Can your business survive such a dip in sales? Never mind a potential fine that could cost you millions?

To avoid such heavy penalties, you need to make IT security a core component of your retail business.

The best way to achieve this is to create an IT security strategy that is unique to your business. After all, every business is different and faces different risks that require responses that help achieve business objectives.

To help you with this, we’ve put together some recommendations on five key areas of IT security:

  • Information security governance and compliance
  • Staff cybersecurity awareness and training
  • Access management and password protection
  • Systems monitoring, penetration testing and data loss prevention
  • Cybersecurity audits and creating a culture of continuous improvement

We’ve also made checklists for each section so you can apply them to your retail business. These checklists are also available as an editable pdf for ease of use.

Fill in the form below to download your free Retail IT security checklist and take the first step to protecting your business.

1. Information security governance and compliance

Do you want to protect your business and avoid punitive fines? Then you need to comply with regulations such as the GDPR, PCI DSS and NIS. This proves that your cybersecurity is up to scratch and that you are following best practices.

The best way to guarantee compliance is to adopt an established security framework. This provides a reliable template for your security controls.

ISO/IEC 27001 lays out a framework of policies and procedures that cover the legal, physical and technical controls for an organisation’s information risk management processes. We recommend using this framework as it helps staff understand and embrace day-to-day cybersecurity.

To achieve compliance, you need to also review your security tools and processes. Thankfully, there are many tools available to help you with this.

We’re fans of Compliance Manager. As part of Office 365, it is a workflow-based risk assessment tool that helps you maintain compliance with most regulations. For example, Office 365 has many tools that can help you maintain GDPR compliance, as well as find and classify your sensitive data. It can also help you identify and map out all the personal data you hold.

Our final recommendation on governance and compliance is that you need to review your existing security controls to ensure you are storing and using personal data appropriately. When people give you their personal data, you enter into an agreement on how you will use it. You need to make sure you’re keeping to your word.

Information security governance and compliance checklist

Activity

Person Responsible

Date Completed

Details

Adopt an established security framework    

This provides a reliable template for your security controls. 

We recommend the security framework ISO/IEC 27001.

Enter details on your adopted security framework and link to it for easy access.

Review security tools and processes

   

This helps staff maintain compliance with the security framework and significant regulations.

Ensure all of your tools and processes help maintain compliance and are not set up in any way that puts your business at risk.

Review the following regulations:

GDPR, PCI DSS, NIS
   

We strongly recommend getting legal advice when reviewing your compliance with these regulations.

Disclaimer: Piksel Retail are not responsible for any consequences suffered by non-customers if your business is found non-compliant in any regulation.
Identify and map out all personal data held    

There are many tools that can help with this available but you can start by utilising features in your existing portfolio. For example, if you have O365, you can use content search to help you discover this data.

Find and catalogue what data you collect, how it’s used, where it’s stored and how it travels throughout your business and beyond.

 

2. Staff cybersecurity awareness and training

According to the Information Commissioners Office, human error is one of the top causes of data breaches. So, if you want to keep your business safe you need cyber security awareness and training.

This includes day-to-day cybersecurity best practices and also an understanding of your business’s regulatory obligations. After all, how can staff follow regulations that they don’t understand?

Whether or not you hire an external training partner, check your existing products and services. Some providers supply learning resources that can aide in staff training. You can also find resources online to help you – like this Microsoft 365 Security Training video.

Both of these options can save you some money and give your staff the cybersecurity training they need.

When it comes to cybersecurity training, remember it’s an ongoing process. The modern workplace is a complex and ever-evolving arena. So be sure to keep up to data with cybersecurity best practices.

If you don’t, you may find your business’s security lacking in key areas like remote working, cloud services and online collaboration.

Staff cybersecurity awareness and training checklist

Activity

Person Responsible

Date Completed

Details

Hire cybersecurity experts and/or collect cybersecurity training resources

   

Depending on the training, this can be handled either internally or externally.

Assign different training tasks and/or courses based on job description

   

Different roles need different training.

For example, a store assistant won’t need the same training as a marketing executive.

Schedule training programs for each employee

   

Build a timeline that provides and maintains sufficient staff training.

Once complete, we recommend testing your staff to make sure they understood everything. After all your business may be at stake.

Review cybersecurity awareness and training measures and improve periodically

   

Perform a complete analysis and update all training at least annually. Or, as regulations and the environment changes.

 

3. Access management and password protection

In retail, peak periods like Black Friday or Back to School mean an increase in temporary workers. This means you need to watch both your physical and digital security.

Ensure you are aware of who can access unsecured areas such as shop floors, back offices and warehouses. Keep track of your workforce, granting them access only to the areas required to carry out their duties. This is the ‘principle of least privilege’ and you should apply it as often as possible.

To adhere to this principle, having strong access control procedures is critical. You need to regularly review who has access to important systems. When carrying out this review, be sure to:

  • Minimise the number of shared accounts
  • Restrict privileged or admin accounts to the bare essentials required to do their job
  • Ensure you have revoked access to people leaving your business

Another area of access management that all retail businesses need is an effective password protection policy. This is because compromised and weak passwords cause 80 percent of data breaches. A shocking statistic, considering it doesn’t need to happen.

To implement and maintain an effective password protection policy, you can use password management tools like LastPass, Keeper or Dashlane.

If you’d like help to optimize and configure these tools get in touch today and find out how Piksel Retail can help you protect your company information.

Access management and password protection checklist

Activity

Person Responsible

Date Completed

Details

Review all the access granted to your important systems    

Unless you know who has access to what, you can’t be confident things are secure.

Assess whether each user has the access rights they need to work and no more.    

The safest approach to access is to apply the principle of least privilege. Audit all staff-members access and see if this is the case.

Ensure you remove all former and leaving staff members from your systems.

Implement and maintain an effective password protection policy     Use password managers and talk with IT partners to perfect your access management.

 

4. Systems monitoring, penetration testing and data loss prevention

Unfortunately, cyberattacks, like Distributed Denial of Service (DDOS), are on the rise. These can cripple your business for a long time, so you need to protect against it with ‘always-on’ protection and testing.

After all, when it comes to your business, you can’t be too vigilant.

That’s why we recommend protecting your business against DDOS attacks by implementing a WAF solution which can be configured on your public or private cloud environment.

Systems monitoring and penetration testing

Carry out vulnerability scans and periodic penetration testing to ensure that your current IT systems are in working order and not at risk from known vulnerabilities and threats. These tests will highlight any potential cybersecurity weakness, ensuring full IT availability during peak retail periods

With peak periods like Black Friday and Cyber Monday becoming more popular, with an average of £2.48m spent every minute in the UK, you need to make sure your business is ready. Because if you don’t, and you suffer a cyber attack, you could potentially lose out on a lot of revenue.

Data loss prevention

As a retailer, you are responsible for a lot of sensitive data, like credit card numbers and other payment details.

Data loss prevention software and services can help you identify and control sensitive data. But most products that do this are expensive and difficult to implement. There are many tools out there that can help you with this, so be sure to pick the one that’s right for you.

Go into the busy Black Friday and Christmas period with confidence. Implement these controls, and carry out periodic testing of your defences so you can ensure your system is well-protected.

Systems monitoring, penetration testing and data loss prevention checklist

Activity

Person Responsible

Date Completed

Details

Schedule vulnerability scans and penetration testing

   

You’re only as strong as your weakest link – test your systems so you can identify vulernabilities and fix them.

Enable ‘always-on’ DDOS protection

   

DDOS attacks are very common. Find an effective, secure service or product to protect your systems.

Review your data loss prevention measures

   

Don’t ignore data regulations. Make sure you have measures in place to minimise data loss.

Carry out continuous systems monitoring and security reviews

   

Run checks year-round so that you’re confident going into your peak trading.

 

5. Cybersecurity audits and technology investment

Fifty-five percent of UK businesses reported a cyber attack in 2019. This represents a 15 percent increase since 2018. Hackers are finding new and innovative ways to attack businesses, so you need to remain vigilant.

Cybersecurity is not a one-off task, it’s a continuous programme of measures that require constant review and improvement.

You should regularly carry out cybersecurity risk assessments of your existing technology. This should include audits on all business hardware and software. You should also ensure that you have the most up-to-date versions of all antivirus software.

Applying regular patches and updates to all your software is important to remove known vulnerabilities. Even if you don’t upgrade your hardware, turn on automatic updates to make sure your business is secure.

Once you’ve updated all your software, prioritise the other areas where technology may be able to address key security risks. This is important as, unless you have unlimited resources, you need to address the most critical risks to your business first.

Here are some of the security technologies we’d recommend investing in if you haven’t already:

  • Security Information and Event Management (SIEM). This technology collects, analyses and reports on log data, highlighting threats and suspicious activity in your IT environment.
  • Intrusion Prevention and Detection Systems (IDS/IPS). Combined, these two solutions both defend your business against hackers and discover any that may gain entry to your systems.
  • Advanced Threat Protection (ATP) and behavioural analytic tools. This tells you when a breach has occurred and lets you know how they gained access, what the threat is and where it is going within your system.

You can access these solutions (and many more) by partnering with the right managed service provider. They can bring the required skills and resources to defend your retail business against cyber threats.

Cybersecurity audits and technology investment checklist

Activity

Person Responsible

Date Completed

Details

Carry out regular audits on all business software

   

Check all business software for available updates. (Apps, antivirus, operating systems etc)

Update any and all software that requires it.

Immediately schedule the next check or turn on automatic updates.

Carry out regular audits on all business hardware

    Check business hardware is still under support from the hardware vendor.

Prioritise investment areas on further security technology

    Consider the best areas to invest in security technology and prioritise based on your business need.

 

Create a culture of continuous improvement around cybersecurity

We hope that this checklist has been useful in helping you highlight and examine your retail business’s cybersecurity.

We also hope that we have shown you that for your business to be truly safe, you need ongoing improvements and reviews to maintain effective security. After all, if your cybersecurity slips, you could suffer hefty fines and reputation damage you may never recover from.

For your retail business, true ongoing, effective cybersecurity is possible. But it requires skill, effort and a time commitment you may not have.

When doing things right is so difficult and the consequences are so severe, why not get some help from a retail cybersecurity expert?

If you’d like to find out how Piksel Retail can help keep your business safe, get in touch today and chat to one of our experienced team of retail IT security experts.

 

Topics: cybersecurity, IT support

Related posts

6 ways retailers can protect customer data in a modern workspace

Data breaches are rife in the retail industry. So, protecting customer data needs to be a fundamental part of your business strategy.

Read more
4 retail cybersecurity risks and how to guard against them.

Recent years have seen a massive increase in the number of cybercriminals targeting retailers. This has resulted in a 250 percent increase in...

Read more
4 monster security breaches in retail and how to avoid them

Did you know that almost a third of businesses reported a security breach in 2018? Believe it or not, your retail business could be the next...

Read more

The latest tweets