Retailers know the risks from cyber threats. According to Fortinet, the retail industry has become the top target for cybercriminals, with 24 percent of all cyberattacks targeting retail organizations. Just a small initial breach can lead to massive losses due to fraud, account takeovers, malware, ransomware, and compromised data.
Whether retailers are in Canada or the US, it’s important that they think about their physical security systems in the overall framework of cybersecurity. But because physical security systems are put in place to protect people and assets, they’re often overlooked as a source of cyber-vulnerability.
To raise the visibility of this issue that is fairly common across borders, we’re sharing guidance that retailers can use to protect physical security systems from cyber intrusions.
Know Your System’s Cybersecurity Tools
Any device connected to a retailer’s physical security network—whether it’s a smart Internet of Things (IoT) thermostat, an access control sensor, or a laptop—is a potential gateway for cybercriminals to access private data.
The good news is that physical security systems are often designed and built with cybersecurity capabilities in mind. Top manufacturers embed cyber resilience into every aspect of their system design. Make sure that your vendors include features such as advanced encryption, dedicated networks, and automated health monitoring of software and devices.
Unified physical security platforms are especially useful for cybersecurity protection because they allow your security team to monitor all connected security devices at the same time. From a single interface, you can track activity related to video monitoring, access control, license plate recognition, and other security functions. Built-in dashboards make it easy to monitor firmware status and cybersecurity measures, while automated security policies and scheduled compliance reduce the potential for breaches. A single interface also helps coordinate cybersecurity measures more easily with the information technology (IT) department, a key partner in managing defenses against cyberattacks.
While your physical security system likely has sophisticated cybersecurity capabilities, it’s important to also document your vendor’s practices and strategy, particularly for dealing with evolving cyber threats. Be sure they have ongoing strategies and updates that are communicated to you clearly and regularly. Take every step that you can to tap into the full power of your physical security system’s built-in cyber protections.
Be Alert to Third-Party Solutions and Emerging Technologies
Retailers aren’t just at risk from cyberattacks aimed directly at them. Any third-party device connected to the internet has the potential to open a vulnerable network gateway and insert malware or ransomware.
The National Defense Authorization Act (NDAA) has blacklisted some brands of surveillance cameras and digital video recorders (DVRs) because of known vulnerabilities. It’s a good practice to follow their lead on these cybersecurity protocols.
Software data exchanges with suppliers can also be prone to attacks. You’ll want to have a supply chain risk management strategy in place to work with third parties that exchange data with your physical security systems. While changes to your supply chain occur, you should take the time to evaluate third parties for their cybersecurity protections.
The same approach holds true when exploring new solutions based on emerging technologies. Ask vendors if they prioritize cybersecurity in the development of their physical security products. Confirm they have a comprehensive strategy to close security gaps and vulnerabilities.
Don’t Ignore the Human Factor
According to Verizon’s 2023 Data Breach Investigations Report, 74 percent of data breaches involved a human element, including social engineering and errors. The sources of these breaches are increasingly complex and difficult to detect. While mistakes happen, keeping an eye out for unusual communication requests is crucial.
User education—starting with onboarding and continuing at regular intervals—helps keep your employees aware of the warning signs of social engineering ploys. This may include requests for passwords, information related to finances, requests for personal information, or suspicious links and files.
Employees who adopt a “think before you click” approach can prevent using links or messages that lead to costly cybercrime. A well-trained employee is in the best position to identify, deter, and report cyber intrusions from social engineering. This human defense is a form of teamwork that goes a long way to help prevent losses.
Maintain Your Cybersecurity on an Ongoing Basis
Cybersecurity threats are constantly evolving. It’s important to stay informed and be prepared to adapt your approach.
- Get to know all the cybersecurity protections your physical security system offers and take advantage of them. Understand how your vendor handles updates for new threats.
- Work with reputable third parties, particularly for devices and software that exchange data with your network. Check that these vendors use best practices and strategies for cybersecurity in their own systems.
- Give your employees the training they need to recognize, deter, and report potential cyberattacks. They are often your first, and most important, line of defense.
The highest level of resilience against cyber threats isn’t achieved alone. It happens when everyone involved commits to upholding best practices–from vendors to employees.