According to a recent study on cybersecurity in the retail industry, this sector is the most vulnerable to cyberattacks, especially social engineering attacks like phishing. IT security flaws in this industry can lead to high profile incidents, such as the cyberattack on Dixons Carphone Warehouse, in which payment details of 5.9 million customers were compromised,; or the data of 20,000 clients of the British health and beauty chain, Superdrug, being held ransom.
The most common cybersecurity flaws in retail companies include:
- The human factor, such as employees with little experience or IT security awareness, which means a greater likelihood that they will open phishing emails, especially CEO fraud type emails.
- Technology problems. Hardware – such as point of sale (POS) terminals – used within shops can suffer from a series of vulnerabilities that allow attackers to steal credit card data from clients before it is encrypted.
- Antiquated, obsolete systems, due to the limited funds that are available to dedicate to updating them.
- Geographical dispersion is another obstacle when it comes to updating these systems, since companies have premises in many different locations. Here the challenge is to update systems in many different places without compromising the company’s efficiency.
Case study: Ur&Penn
UR&Penn is a retailer of jewelry and other accessories. It has 121 stores, and a long-term plan to open another 80 stores around Sweden. Of its existing stores, nine are located in Finland. The 158 cashiers that make up the business in Sweden and Finland are at different distances from the headquarters in Upplands Väsby in the northern Stockholm area.
With this ambitious growth plan, as much as possible of the IT environment needs to be automated, and there are great advantages for Ur&Penn if the IT solutions that are chosen can easily be added to each new store that opens.
A distributed environment with the network of stores around Sweden and Finland requires a plan to be operated in the best way; this plan was drawn up by Emir Saffar, who has been IT manager at Ur&Penn since 2012.
The cash registers in each store are computers where employees can browse the Internet, receive emails, read documents, and, of course, help customers to make purchases.
And, although employees don’t intentionally make IT mistakes, it is worth remembering that they tend to be the weakest link in a company’s security chain, liable to fall victim to social engineering, among other cyberthreats. Surfing the Internet, managing email, and using applications can all be possible sources of a cyberattack. And it is important to remember that any downtime in a company due to a security incident can lead to large losses of income, as well as loss of customer trust.
Unpatched computers – or in the case of Ur&Penn, cash registers – are easy targets for malicious hackers. It is therefore important to protect this asset in any company security policy.
99.96% of active vulnerabilities in organizations are related to a lack of certain patches; one common misconception is that Microsoft, Windows and other programs update automatically. This is rarely the case.
Emir Saffar realized that, in order to operate the various stores, it was necessary to patch the systems in all the stores remotely and efficiently. After many years using Windows Update, which meant that many computers had to be shut down, and many did not receive critical security patches, he decided to look for a solution.
Without a patch management tool, it was hard to keep track of which computers had received which patches. When installing patches was the responsibility of the employees, computers were often left unpatched, since they closed the warnings about programs that needed updating. What’s more, the employees would often have to restart their computers to install updates – something that could lead to a loss of income.
Emir Saffar tried several patch management solutions in order to find the right one. Ur&Penn already had Panda Adaptive Defense installed, so Emir contacted Benny Jonasson, his sales contact at Panda Sweden. Benny told his that Ur&Penn could become the first customer in Sweden to try the latest Panda Adaptive Defense module: Patch Management.
When this module was applied – with no additional installations, since Adaptive Defense was already deployed on the network – Saffar could immediately see which patches hadn’t been installed. The module also provides classification of all the available patches: “critical”, “important” and “necessary”. This allows Saffar to set the priority order in which they need to be applied.
One advantage of this module is the fact that most ‘regular’ software is supported, which covers the organization’s needs, since it does not use proprietary software.
With Patch Management, Ur&Penn can organize patches and schedule their installation for when the stores are closed, and thus avoid interrupting business. Everything can be seen: both everything that is going on, and the patches that haven’t been installed. The solution is simple, but highly stable, which makes it very hard to make mistakes.
In the words of Saffar: “PAD360 is an extremely good protection. So far, we have had no problem with either malware or incidents in the programs. Nothing has happened. With the Patch Management module, the security of the applications is further tightened and the functionality up to date; it is simple but works like a clock.”
Reports on which programs have been patched and which computers and services have been patched and updated are easy to take out. In summary, Saffar is of the opinion that it is a very simple service, which fully fulfills its function.