When it comes to cybersecurity, for many retailers, an all-encompassing overview and plan can be a daunting undertaking. This is where a tiered or flexible approach to securing enterprise systems and data can be an effective strategy, enabling a business to focus initially on protecting essential assets and then expanding the scope of protection to address the company’s evolving needs.
Here, we outline a three-tiered approach to cybersecurity that any retailer can employ to manage equipment and personnel costs, as well as implementation and training, ultimately yielding a companywide security posture designed to meet business objectives.
|Scope of Protection||Description|
|Level 1 – POS solutions||P2PE or POS-dedicated Firewalls|
|Level 2 – Manager PC||Antivirus, EDR, MDR, and/or EPP|
|Level 3 – Whole Store||Managed Firewall|
Level 1: Securing the POS through P2PE or Dedicated Firewalls
For many retailers, the cybersecurity journey begins with protecting the Point of Sale (POS) system. Today, many POS systems include Point-to-Point Encryption (P2PE), which allows the system to run securely on any open internet connection. Validated P2PE solutions, which include additional operational processes and documentation, provide the benefit of reducing the retailer’s Payment Card Industry (PCI) scope, dramatically reducing the assessment effort from a few hundred questions to dozens. However, P2PE solutions only protect the POS and not the other internet-connected devices in the store.
For systems that do not support P2PE, the POS supplier may provide a firewall service as part of the solution or require the retailer to deploy separate cybersecurity solutions to protect the POS system. Like P2PE solutions, POS vendor-supplied firewall solutions may only protect the POS and not cover the rest of the store. The POS vendor’s priority is protecting the POS; they will not typically accept responsibility for safeguarding the rest of the store’s network or devices.
Level 2: Securing the Store Manager PC
As a retailer becomes more digitally dependent, the store manager’s PC can also become an attractive target. How many retailers depend on the store manager’s PC to run their business, manage their employees, track inventories, and more? Ransomware attacks are particularly challenging because not only may the retailer lose access to the store manager’s PC, but customer and employee data may also be compromised, destroying trust and in some cases, requiring public notifications.
An effective way to secure the store manager’s PC is with a software agent. While basic malware and antivirus software are often installed by default on most PC solutions, it is the end-user's responsibility to deal with alerts and attacks. Software subscription services must be maintained. Instead of self-managing the cybersecurity solution, retailers may outsource the daily operational responsibilities to managed service providers to provide various cybersecurity services to protect the store manager’s PC, including:
- Endpoint Detection and Response (EDR) service to provide real-time alerts when cyber-attacks occur;
- Managed Detection and Response (MDR) for expert services to defend the retailer in the event of an attack;
- Extended Detection and Response (XDR) to integrate the PC software agent in a meshed cybersecurity platform; and
- Endpoint Protection (EPP) provides expanded capabilities to protect against zero-day and ransomware attacks.
Level 3: Securing the Store’s IoT and Other Network Devices
For retailers (and even restaurants) delivering a digital customer experience, cybersecurity concerns are not merely limited to the POS and the store manager’s PC. Any device with a networked connection becomes a potential threat vector, including Wi-Fi access points, digital signage players/TVs, temperature sensors, video surveillance cameras, hand scanners, and other Internet of Things (IoT) devices. In these situations, retailers need to segment the store network traffic by the trustworthiness of the devices. Segmentation isolates malicious traffic and reduces the threat attack surface. Corporate devices belong to one segment. Trusted business partners belong in another. Everything else can be placed in an open, third network segment. In addition to segmenting traffic, a managed firewall can provide another layer of defense for protecting the store’s digital technologies from the dangers of the open internet.
This is just one example of how a flexible approach to cybersecurity enables the retailer to make measured investments in its cyber defenses to align with evolving business needs and opportunities.
Learn more about best practices for implementing cybersecurity solutions here.