Visibility of the IT estate is vital for cyber security. However, in retail, it is not always easy - as a group of experts told us at a recent TEISS dinner roundtable.
Recent years have been challenging for the retail sector. Rising inflation has dented consumer confidence, while growing energy costs have made tight margins even tighter. And these difficulties have come hard on the heels of supply chain issues and disruption caused by the Covid-19 pandemic.
Many retailers have turned to technology as a solution. However, this has brought its own problems. Integrating new tools with legacy technology has been a challenge, and there is a constant race to provide the online tools and personalisation that customers demand. Most important is the need to keep it all secure and safe from cyber criminals.
This too has become more challenging in recent years, said Dan Jones, Senior Security Advisor, EMEA, for Tanium. Mr Jones was introducing a TEISS dinner briefing at the Brasserie of Light in London’s Selfridges department store, attended by senior security experts from a range of major retailers. He said that one way to manage risk is to increase visibility of endpoints across the IT estate.
Multiplying endpoints
Lack of visibility means a lack of control of what is happening on the network. Mr Jones said companies are managing more endpoints per person, as devices multiply. One staff member might be connecting to the network from a laptop, a tablet, a smartphone, and a watch, for example. And for retailers with a network of physical stores, there is the added complication that every port is a possible entry point for an attacker.
One attendee said a colleague at one store had spotted people loitering near an unattended store PC. When approached, one appeared to remove a USB stick from the machine. The cybersecurity team isolated the machine and found no evidence of an intrusion on the network. But it was a concern that the alarm was raised only because a member of staff happened to notice the suspicious activity.
Companies also must be aware of risks from their supply chain. For retailers, that could mean integrations with partners like payment providers, or cloud systems that allow in-store experts to help customers design a kitchen or order bespoke curtains. These are potentially vulnerable connections that must be protected.
Getting the message across
Gaining visibility is a challenge. One attendee said that he had been unable to convince the board of the need for a CMDB (configuration management database) that outlines the relationships between hardware, software, and networks within the estate. Even though the CMDB would have been relatively easy to build with existing tools, he said the board was not interested in making the time or money available.
That led to a conversation about how to convince the board that investment is needed. One attendee argued that the CISO needs to be on the board for precisely that reason. If cyber security is represented by the CIO or CTO then they must compete with other priorities to get a hearing at board level. Having the CISO on the board removes that conflict.
On the other hand, for that to work the CISO must be able to speak the board’s language, which usually means being more business focused and less technical. That doesn’t always come naturally to all CISOs. As an alternative, one attendee suggested raising issues with the audit committee, who can help get them the attention they need.
People and culture
As with many issues in cybersecurity, the challenge comes down to people, attendees agreed. Technology is a vital piece of the puzzle, but even automated tools need to be managed by a human who can act based on their findings. Tools that provide visibility are also useful, but it is important to be able to understand context. Knowing what you have and where is important but it’s just as important to understand what those endpoints are doing and how you can control them.
Having the right people depends largely on budget - and in cybersecurity this is a particular challenge because there is a shortage of talent in the first place. But attendees identified a broader cultural issue too, which is that people need to be trained in the right behaviours to uphold security. That can be a particularly acute problem in retail where, for example, security might depend on the observation skills of a 16-year-old who only works on Saturdays.
Attendees felt that greater cooperation within the sector could mitigate some challenges, as could working more closely with expert partners. Although a lot has changed in retail in recent years, the cyber security problems the sector faces are not new and the solutions to them are known. The challenge is one of implementation.
To find out more, please visit: www.tanium.com
© 2024, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543