Retailers love the Holidays and so do Hackers
People spend a lot of money over the holidays. For retailers, this means an increase in customers and, the “holiday rush”, often necessitates the hiring of temporary holiday staff to handle everything in a timely manner.
This influx of customers invariably results in a very happy holiday as far as retailer profitability is concerned.
For hackers, the increase in customer data at easily infiltrated businesses makes for a felonious festive feast.
Why exactly are retailers more susceptible to attacks over the holidays? There are many reasons, but here are three specific ones you should plan for this holiday season.
1. More financial information, more problems.
If a business is handling more customers, naturally it will be handling more financial data. Those extra customers aren’t all paying cash for their purchases, and that means the secure networks used to process those transactions may get bogged down with a higher amount of traffic than they were designed to handle… and what do employees do when the regular, approved methods aren’t working well?
Why, they work around the system of course. Some employees might feel that they can improve the speed of the sluggish system by making changes to what otherwise is a secure network, or perhaps they would allow an unscheduled “technician” access to the server room to “fix” the issue without confirming their identity, or the legitimacy of the meeting.
If the systems go down for any reason, standard procedures that protect customer data could go out the window entirely. Cashiers might be manually recording payment card info, on paper, left out in the open for anyone to see or take.
How you can help:
If you know your system will be bogged down over the holidays, a good place to start is by improving your infrastructure. In addition, you should have security training sessions with your employees prior to the holidays. They need to know the critical importance of following the standard procedures, as security won’t be a top priority if you don’t make it one.
2. Haste makes waste.
When people are in a rush, mistakes are made. This applies to both customers and employees alike. Whether it’s an employee leaving their POS terminal unlocked when they rush to take their break, or a customer unguardedly revealing their credit card information because they simply want to be out of the store, mistakes are made that jeopardize the security of customer data. Additionally, because of how much will be going on, it would be easy to miss minor changes to any system. A sneakily replaced POS credit card reader might not draw suspicion for days, if not weeks, and a USB drive attached to a terminal may go undiscovered indefinitely.
When things are running at breakneck speed, small details often go ignored. Unfortunately, it might only take a small thing, like a USB drive, to compromise a retailer’s network, and with it the credit card information of an untold amount of customers.
How you can help:
Lay down the rules and ensure your employees know that being busy is not a reason to rush. There’s no quick and clean way to protect cardholder data, the phrase is quick and dirty for a reason; however, as the alternative is highly risky, slow and steady is the way to go.
3. Seasonal jobs are like a costume party.
If you wanted to steal credit card data from the customers of a store, would anything be more ideal than having it handed to you by your victims directly? Yes, if the store was paying you while you did it. Is it no wonder then that seasonal jobs, especially those in maintenance and as cashiers, are some of the most ideal for hackers to steal credit card information? As a cashier, a hacker would have unfettered access to point of sale terminals, while a member of the maintenance staff could frequently have access to rooms, like a server room, which most non-managerial staff members would lack.
Hiring temp workers can make the holiday rush go a lot smoother, but if the proper checks are not in place to monitor these temporary employees, you may wind up doing your business more harm than good.
How you can help:
Requiring a criminal records check for any new employee is a good place to start, but that’s not foolproof. The best thing you can do is set up your retail network in a way that monitors the activity of your end users. Your system should tell you if any changes have been made to the infrastructure, or if any login failures occur on systems on your network. Really, it all comes back to monitoring your employees to make sure they’re acting properly.
By this point, assuming you work in the retail sector, you’re probably concerned about how these risks may affect you this holiday season. If you’re in charge of, or oversee, the IT Security of a retail business, you should already know of the Payment Card Industry Data Security Standard (PCI DSS). Many don’t realize that, while you are required to be PCI DSS compliant, you should be improving your security above and beyond those minimum requirements. A breach could cost you hundreds of thousands of dollars, but the loss of customer trust is where it's really going to sting.