As a retailer, you know that your Cyber Security needs are unique. You need to protect sensitive customer data and financial information, and you must also ensure that any online transactions are secure. For both you and your consumers, increasing instances of fraud present growing risks. That's why it's so important to have the right IT security protocols in place. In this article, we’re discussing some of the key points retailers should consider when it comes to IT security with Dr Kevin Tham, Chief Information Security Officer here at etika. 

‍

Thanks for joining us, Dr Kevin! Data breaches are all across the news at the moment, how can retailers protect themselves and their customers? 

‍

Data protection is one of the most important aspects of IT security for retailers. The two main questions a retailer should ask themselves are; What customer information do I really need to collect and keep? and Where do I store my customer’s information? 

‍

Collecting only the key customer information is an important strategy because the less customer information you have, the less you need to worry about protecting it. Of course collecting customer information is unavoidable in a lot of business activities, however you should always evaluate what your business needs are for storing your customer information - delete the customer information as soon as you can. Minimising the amount of data collected and stored, naturally minimises the amount of cyber risk. 

‍

The next strategy is to be very clear where you are storing this information. Having this knowledge helps with 1) understanding how you keep the information safe when handling it and 2) how you can protect customer information when storing it.

‍

Protection of your customer’s information will be done through encryption. The only thing you need to know about encryption is 1) protecting your communication between your computer and the system where the customer information is stored (ie. Transport Layer Security (TLS)) and 2) protecting your customer’s information when it is stored on the system (ie. Advanced Encryption Standard (AES)). As a retailer, the most important thing you need to find out is if the IT systems and services you use have these 2 features. The topic of encryption goes much deeper, but understanding that you are using these 2 features, will ensure good foundational cyber security for your business.

‍

Staying resilient during a cyber incident is very important - are you able to recover if a cyber incident has happened? Backing up your information is another important aspect to ensure that your business stays resilient from a cyber incident. The UK National Cyber Security Centre (NCSC) has a great resource about backing up your business which is universally applicable. It contains detailed explanations as well as practical guides on how to backup.

‍

Are there any ways that retailers can prevent their data from being accessed by unauthorised sources? 

‍

There are many ways a cyber attacker can gain access to your information, but the most common is through malicious software (“malware”) which basically gives the cyber attacker access to your computer, and then in turn access to all the systems that you use.

‍

To protect yourself against this, you have to do 2 things; turn on automatic updates on all your computers, and make sure you use an endpoint protection application, like antivirus or malware protection. Keeping your computer and applications updated can be an inconvenience, but if you delay the updates, the inconvenience will snowball. The best strategy is to let your computer update itself, at the end of the business day, to minimise inconvenience - just like how your motor-vehicle needs an oil change, your computer needs to be maintained in a similar fashion.

‍

You may have heard a lot of mentions about 2-step verification (2SV) or Multi-factor Authentication (MFA) in recent times and for good reason. Enabling the use of 2SV/MFA on your accounts will drastically reduce unauthorised access to your online services, especially online services which you use to store your customer information. You are highly encouraged to enable this additional authentication method because, whilst initially it feels like “extra” steps you need to take, you will be extremely grateful for it, during a cyber incident.

‍

There’s always a lot more we can do in cyber security, but it is a lot to keep up with. So the good people in the Australian Cyber Security Centre (ACSC) and UK National Cyber Security Centre (NCSC) have both created treasure troves of information and guides on things small businesses can do (ACSC/NCSC). There are practical suggestions that you can use to improve your cyber awareness in your business, as well as at home.

‍

What do you expect will be the next big IT security risk? 

‍

I expect in the months to come, we’re going to see: 

1. Even more data breaches - More data breaches will be reported, caused by organisations not securing their access (ie. authentication) appropriately.
2. Social engineering attacks with the aid of AI - The use of AI will mean that social engineering attacks, like phishing emails, will start to sound more convincing to their victims.
3. More privacy-related regulations and bigger fines - Countries around the world will start to tighten up their regulations on citizen privacy and its associated regulatory fines and penalties.
4. Unintended insider threats - Unintended data breaches, whilst having no ill-intent, which can lead to a malicious result. For instance, staff working in an unsecured location (eg. cafe) and their usernames and passwords are observed by a malicious actor.

‍

How can consumers protect themselves against fraud?

‍

There are a few things customers can do to minimise their fraud risk - First be careful when shopping online and ensure that the websites you visit are secure. This can be done by looking for the “https://” at the beginning of the URL which can indicate a secure connection. Using services like Paypal, ApplePay or etika can be safer to complete transactions, than entering card details directly. 

‍

Use a password manager to store all the various passwords you have. Using a paid password manager will give you the convenience of generating unique, secure password combinations on all your different online accounts, maintain your MFA settings, and some will even alert you if your account is compromised! Using a password manager will then allow you to set a strong passphrase to protect all your accounts.

‍

Be aware of phishing scams such as emails or text messages asking for personal information such as banking details or passwords. Resources like ACSC and UK NCSC typically share details about recent phishing scams. 

‍

What should a consumer do if they suspect they have been a victim of fraud? 

‍

Consumers should immediately change their passwords to prevent further access to their accounts and report any breached accounts to the provider as soon as possible.

‍

If the fraud involves bank accounts, credit cards, or other financial accounts, the consumer should contact their financial institution as soon as possible to report the fraud. 

‍

If the fraud involves identity theft, the consumer should contact the major credit bureaus (such as Equifax, Experian, and TransUnion) and request a fraud alert be placed on their credit report. This can help prevent new accounts from being opened in the consumer's name.

‍

For more specific advice, please refer to the Australian Competition and Consumer Commission (ACCC) Scamwatch site or the UK National Cyber Security Centre site on detailed steps you can take to report, recover, and monitor your situation.

‍

Thank you so much Dr Kevin for your insights!   

‍