Retail IT Security

Introduction

In today’s world there is a lot of talk about security and big corporate businesses being hacked into and losing who knows how much information. It’s to my surprise how many small businesses get hacked into but do not get the media publicity because it is not as sever to the general public. Retail security lacks. This phrase says it all to our current retail environment. It is time to admit that our retail stores are most defiantly a weak point for consumer’s credit cards to pass through.   This is for many different reasons. The use of old hardware to cut costs, not to mention the use of hardware meant for your home in an office environment. Another issue is normally there is no staff specifically hired for IT, they just use upper management. These upper managers just cannot juggle keeping up with the daily manager duties and keeping their store secure.

Offloading to 3^rd party

What managers need is a way to focus on what they do best: manage. 3^rd parties are great for many IT related tasks for retail. What is great is these tasks can be managed quite easily. As an exclaimer there are many technologies that corporate businesses use that retail environments do not need to manage themselves.

One very large task is a webpage. To host a webpage from your own server is no easy task, let alone keeping it up to date and functioning. Hosting a webpage also opens up your systems to a whole bunch of different security vulnerabilities that now puts more pressure on upper management that has to deal with it.

There are many functions that don’t make sense in a retail environment. The use of domain controls and multi-tiered routing systems for a retail chain in most scenarios just doesn’t make sense. I can see why failover is important for retail but I cannot justify the cost of setting up these systems and then having the need to maintain them…all from 1 manager. 

Exchange servers for email would be a great function to instead of hosting your own exchange services, offload them to a 3^rd party. All the security issues and spam and everything else that comes with email has just been sent to a 3^rd party to work on and all management has to do is manage.

Setting up policies and procedures

I am sure managers have been able to setup a policy that makes sure their tills are always on every day…or even more than that. What I am sure many managers haven’t done however, is setup a policy or procedure for security. If someone steals an item what are the specific steps to reporting the issue? Do you store employees confront the felon? If you can answer these questions then take it a step further: what is your policy if your backup of all your customer info just got stolen? Do you even have systems in place to tell you the data was stolen?

It is coming to a point that retail stores no matter how big need someone or some service to make sure security policies and procedures are in place.

Staffing your IT department

I would probably be safe to say many retails do not have any type of IT department. They are just too much for retail to employee. As we have found out from above there is a need for retail IT departments. So what can retail do?

You can use professors from colleges looking for experience in the professional field. They are trustworthy and usually you can get away with not spending very much on them. They have been teaching students things that your company needs so they are knowledgeable and can find solutions for your retail setup.

You can use students in college that are learning and need experience. You will have to look for a trustworthy person however. They will want benefits like college tuition pay. 

Securing data transfers

Data for retail is money. Your customer database is also money which many others would like to get a hold of. Secure you data inside and out. Who are the people in your company that if they brought a flash drive to work could grab your entire database of customers and walk out the door with it? Is there any type of system that is configured correctly to prevent this? When was it tested last?

Secure backups and storage physically and digitally on and offsite

Backups are a great target for hackers. It usually is stored in places that are easier to get to then the live data. If you data is stored on site make sure to secure that closet space. Find a place to store your database server that isn’t easy for someone to walk into your offices and walk away with it.

I sure hope you have a system in place that is storing your files offsite from you location. This is a must if major catastrophes occur and you still want to do business afterwards. Any offsite backup should be encrypted and password protected with some huge password no one can ever guess. Only key people should know this password to your data. If the password is written down then that password must be secured also. Storing your data on someone else’s server offsite using the cloud or some other technology for backups is a wonderful thing, as long as you make sure it is a reputable place and your data is encrypted and password protected before you transfer it to them. Any security they say they have should not be your only line of defense.

Small business setups vs home setups

I have seen many small business retails using home routers for their networks. A simple Linksys WRT54G for your routing functions is not going to be a good defense. A great way to stay in budget on retail networking equipment is to use small business hardware. There are so many options and configurations that it is to difficult to include in this blog. To make the correct decision for your company use a service. There are many out there that can make those correct decisions for your company.

Keeping up with technology by research and slow implementation

Old technology is a key factor in why our retail stores are not secure. What is hard for retail business however is to justify costs for newer technology. A good rule of thumb on old technology is if it isn’t receiving updates from the manufacture or if the manufacture says they do not support that hardware anymore then it is time to buy newer (not to be confused with newest). Calling the manufacture and asking them about your hardware is a great way to tell if they still support it. If they have trouble finding your hardware then it probably is a good indication you need an upgrade.

Your weakest point is the level your security is at currently

The best rule of thumb with security is this: your weakest point is the highest level your security is currently. Even if you have some awesome sonic firewall and intrusion detection hardware, if someone can walk into your office and access your folder named “confidential” then that firewall did no good. This is where audits and research comes in. Sometimes it even takes outsiders to point out your security issues. If I might suggest something it would be use your connections you have with other retail companies. I am sure you have many and they have many also. If we were to build a community of retail managers talking about how to secure your stores down then you would be doing exactly what everyone else is doing…figuring out solutions to problems by community efforts.

Conclusion

Mangers: do what you do best and manage. Find solutions you need through community efforts and 3^rd party services. Even though your efforts are not publicized like those corporate businesses you still have a major role in our community. You process consumer credit cards and store our personal data. When it comes down to it all that is exactly what the big guys are doing also. Keep up with security and find ways to offload your IT tasks to someone that can build your security up to standards.

I am currently an IT Manager for an amazing retail company. I have found that the best ideas come from those that specialize in that area. Even though my retail environment is small, I strive to make it just as secure as any one of a big corporate office would.