As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Charlie Gero of Akamai Technologies examines the threat of cyber-criminals in the retail realm, and developing zero trust security against these attackers.
Online retailers have long been vigilant about bots bent on snatching up must-have goods and committing credential abuse, especially for loyalty programs. But now cyber-criminals are going a step further, attempting to directly disrupt retailer operations and infrastructure with ransomware and other devastating attacks. That means anyone who has access to a retailer’s applications, including legitimate customers, can become an attack vector and a security risk.
The scariest part? Most retailers are not prepared to counter these attacks.
Zero Trust Security, Strategy, and Teamwork in the Retail World
The New Reality: Trust No One
This new threat landscape requires a new security mindset based on three key realizations:
- Do not assume any user, customer, or employee can be trusted. The safest security posture can be gained by assuming all users are infected. Usernames and passwords can be just as important, if not more so, than credit card data—and like credit card data, they can be stolen. So you must not trust a user just because of their location or because they have logged in before. Always verify– every user, every time.
- Assume that, sooner or later, a threat will get past your defenses. Advanced prevention technologies are absolutely essential, but they are not foolproof. At some point, an attacker will get in. You must complement these preventive mechanisms with mitigation measures designed to stop a security breach from spreading once it has occurred. Without both strong prevention and mitigation, you are only addressing half of the security challenge.
- Recognize that the first security breach is just the beginning of the threat. Cyber-criminals often target a relatively benign corner of your infrastructure for their initial intrusion, then move to the high-value data. The faster you can locate a breach, the better chance you have of blocking the more damaging secondary impact.
Beefing Up Your Security Strategy
Shoring up your defenses to address these realities is more critical than ever. But where do you start? First, confirm that you have your basic prevention measures in place, including appropriate firewalls and anti-virus protection, and ensure they are kept up to date. Then consider these additional best practices to strengthen your risk mitigation strategy, starting with the easiest to implement and maintain:
- Multi-factor authentication (MFA). Requiring multiple authentication factors can be an effective first step– one that provides protection for a huge attack surface: credentials. MFA is relatively easy to stand up and maintain. If you aren’t doing it, you are behind the curve.
- Zero trust network access (ZTNA). Slightly more complex than MFA, ZTNA provides more sophisticated identity verification using additional context and policy-based access controls. This limits what an attacker can access through a valid user’s machine if it is compromised. It offers the additional advantage of minimizing the impact on the end-user experience. ZTNA can be configured to feel like a VPN, creating a user experience that is familiar to your employees—while helping prevent attacks.
- Microsegmentation. This strategy involves logically dividing your network into distinct segments with security controls for each segment. This makes it difficult for malware to spread via lateral migration, a common tactic used by cyber-criminals. While retailers are already generally required to segment data for PCI compliance, this is just a starting point. Implementing more granular microsegmentation is crucial to prevent the spread of malware to high-value data. While this is more complex than MFA or ZTNA, a modern micro-segmentation provider can help implement a solution with minimal additional work on your part.
Building Support for Zero Trust Security
As with any investment in your organization’s infrastructure, you need a plan for securing buy-in and budget for these needed security enhancements. Start by identifying your potential vulnerabilities. Engage a “red team” to perform a thorough assessment of your systems and produce a report that clearly shows decision-makers where your organization’s “soft points” are that need to be addressed. In addition, you can evaluate your market space and look at examples of other organizations that have been hit by a ransomware attack or security breach. It’s likely only a matter of time before you will be targeted as well. Use the experiences of others to highlight how your organization can do better.
Finally, engage your trusted network and security vendors. They will have information, informed by broad industry context and experience, that can help you build the business case for upping your security game. Creating safe and convenient online experiences for your customers is essential for retail growth and profitability today. Enhancing your security posture with advanced zero-trust strategies will help keep the criminals at bay and ensure those customers keep coming back in the future.
- Every Connection is a Ransomware Risk: Zero Trust Security for Retail - September 20, 2022