by Steve Weil — November 21, 2016

As retailers get ready for the 2016 holiday season, they must also prepare for and prevent cybersecurity incidents.  Over the past several years, many retailers have had high profile cybersecurity breaches which have led to financial costs, customer concern and loss of reputation and goodwill.

Here are some fundamental ways your retail organization can prepare for and prevent a cybersecurity breach.


“By failing to prepare, you are preparing to fail.” Benjamin Franklin

Create a device and software inventory

You can’t protect what you don’t know about. Create and maintain an inventory that identifies and documents every device, and the software installed on it, that has access to your organization’s network; be sure to include store systems. The inventory should identify each device’s network address and physical location. This will enable you to identify and remove unauthorized systems and software from your network and allow you to quickly determine whether a particular security vulnerability is relevant to your organization's systems.

Create a data inventory

Regularly identify and document how sensitive data (e.g. payment card information, personally identifiable information, intellectual property)-- flows in, through and out of your organization. This will enable your organization to focus its time, effort and money on protecting its sensitive data. 

Establish a backup strategy

While often not seen as a security control, a well-established and regularly tested backup strategy is one of the most important ways an organization can prepare for a cybersecurity incident. Compromised information systems often need to be rebuilt with backed up data. Maintaining good backups will also help protect your organization against the fast growing threat of ransomware via which cybercriminals use encryption to “lock” computer data and then demand payment to decrypt the data. 

Your organization’s backup strategy should clearly define what data needs to be backed up, how frequently the backups need to occur and where the backups should be stored.

Develop a security incident response plan (SIRP)

As unpleasant as it is to think about, you should assume that your organization will have a cybersecurity breach.  A documented SIRP that is specifically designed for your organization will make it easier for you to launch a rapid and well-coordinated response. At a high level, your SIRP should include:

  • A description of the employees who are on the security incident response team (SIRT).
  • Specific guidelines (e.g. when should law enforcement be notified) and procedures that the SIRT will follow.
  •  Information about external resources (e.g. computer forensics firm) available to the SIRT.

Be sure to test your SIRP regularly, at least annually.


“An ounce of prevention is worth a pound of cure.” Benjamin Franklin

Implement strong access controls

Grant access to sensitive data and information systems on a least privilege basis. Only those employees who must have such access in order to do their jobs should be given access. For example, there is likely no reason a store cashier needs direct access to information systems that store payment card information or PII.  

Whenever possible, require multi-factor authentication (something you know plus something you have) for access to information systems that process, transmit and/or store sensitive data.

Promptly patch systems and applications

Every missing patch is a “hole” that could allow unauthorized access to your network.  Regularly patch your organization’s information systems and software applications. Don’t forget to patch your network devices (e.g. routers, switches).

Patching is best done via a patch management system that allows patches to be tested, prioritized and consistently deployed.   Your organization should also regularly scan its information systems, including store systems, for vulnerabilities that may have been missed by the patch management system.

Educate your employees

Properly trained, employees can be an organization’s front line defense against cyber threats. Cybersecurity is not just an IT issue.  Implement a cybersecurity training and awareness program that teaches all employees how to recognize common cyber threats and who to notify when they see such threats.

Your  training program should:

  • Emphasize that cybersecurity is an important priority for your organization’s senior management and that each employee has a responsibility to protect the organization’s data and information systems. The training should also explain how good cybersecurity practices can help protect the sensitive data of employees and their families.
  • Educate employees about how to avoid common cybersecurity risks such as  phishing, social engineering, unsafe Internet browsing and using unauthorized software.
  • Explain how to physically protect laptops, mobile devices and digital storage media, as well as when and how to use encryption.
  • Encourage employees to report suspicious activity. All employees should know when and how to report suspicious activity on their information systems.

Following the above tips will enable your organization to be more prepared, and better able to prevent cybersecurity incidents.