This article was originally written by Avanade alum Wil Klusovsky.

This post was updated with the latest data on March 9, 2022. 

As we look back on NRF, let’s take some time to consider the security issues facing retailers today. A recent IDC study listed retailers as one of the industries more likely to be impacted by a security incident. Consider these Top 5 security challenges as you look for ways to reduce that probability.

1. Securing the shopping experience
Retailers are striving to build an increased understanding of customer preferences and behaviours. They want to deliver the same customer experience regardless of the location or touchpoint all in real-time. This means increasing the data gathered, the systems managing it and working to make the best use of it. This expands the attack vectors as well as data footprint for privacy and protection.

Integrating IoT and intelligent stores brings great value to the customer experience, but it also adds risk. To ensure the security of your business, several security challenges need to be addressed:

• Interfacing with customers through multiple channels means your applications need to be integrated securely, which requires an effective and Secure Software Development Life Cycle (S-SDLC) This also needs strong access controls, identity management and governance to manage the complex interaction between systems
• Your customer data needs to be protected and governed in accordance with applicable global and local regulatory requirements. Cloud security will be even more critical as these front-line worker and customer facing systems thrive here.
• All of this innovation needs monitoring and to be managed by strong governance programs
• A secure systems acquisitions process will help establish a new way of working with new systems implementation, and strong security operations and controls help address some of the new risk of innovation, specifically the ability to secure the cloud and monitor IoT.

2. Star planning your Zero Trust journey now
At one of the NRF Big Idea Sessions, zero trust was highlighted as a one of the answers to retailers’ security needs. Zero trust brings together existing and new concepts to create a more secure operating model for today’s agile, cloud, app driven, data sharing world.

One of the big focus areas for retailers is empowering their employees (in store, remote, back office, at distribution centers and at headquarters) to enable new ways of working. This combination of a distributed workforce, customer accessibility, and the integration of applications and assets that are not owned by the company, benefit from a zero trust model.

Zero trust is a journey not something you can just “turn on” tomorrow - evaluate what you are doing today, what you need to do in the future, and start planning now.

3. Reduce risk in your supply chain
As retailers secure the shopping experience, they also need to secure the supply chain. Retailers can build out a flexible and resilient supply chain by creating a centralized system to gather and assess real-time information. But this can mean you are introducing risk though connectivity and data sharing with organizations whose security you don’t manage directly.

One way to reduce the risk is to put in a place a strong, third-party risk and governance program . Technical aspects of these programs should limit access to data, which is further enhanced with strong access controls. The use of good identity management and Zero Trust models build for a secure future-state, in addition to the baseline security controls and processes that should already be in place.

4. Ransomware response & resilience
Good monitoring means fast detection, but the ability to respond to events is when proactivity meets protection. During a response, limiting impact and executing recovery are the most important things. Retailers should have comprehensive incident response plans that should be tested regularly, with all parties not just the Incident Response (IR) & Security Operations Centre (SOC) teams. Retainers are necessary if not housing your own IR staff (don’t underestimate the skills required). Trying to contract during a breach is not ideal and it may stall your recovery.

The cost of having an robust Incident Response Plan (IRP) with strong security operations, business continuity, disaster recovery and incident response capabilities packaged up is lower than paying ransomware, not to mention the devastating impact of the loss of customer trust. In contracts, building trust though transparency with your clients can be a value-add and helps to reduce the customer “trust impact” of a breach.

5. Plugging the security skills gap in your organization
Like many other sectors, retailers are suffering from a lack of in-house security skills. According to Forrester, 79% of retail and consumer product companies from the Fortune 500 have a dedicated CISO, but the study also shows that CISOs seek external opportunities rather than waiting in line to be promoted, resulting in a talent drain.

To address the skills gap, look at helpdesk and support staff – people that already have a technology background as potential security staff. Give your internal employees an enterprise path and a way to build out your security capability. Hire entry level security staff and invest in them. In cybersecurity, often it’s critical to look at the ability to do the work rather than experience with it and antiquated hiring practices will have retailers missing out on great security staff.

This also means revaluating your roles and job descriptions, ensure you are asking the right requirements for the right roles and not creating “unicorn” positions. If you’re unsure, engage with a third party (like Avanade) to help evaluate your staffing model and security operations.

It’s hard to overstate the seriousness of security for retailers and it’s essential to stay ahead.

Visit this page, if you’d like more information or contact us to talk to someone on our security team.