Identifying Retail Concerns Around Cyber Security

Securing your digital assets is a hot topic, and while accepting EMV is a great first step, it isn’t the only thing you can do to protect your business, customers, and employees from cyber threats.

Below is a list of other threats to be aware of and how you can protect yourself from them.

Social media

• People are on social media or have access to it constantly. In light of PR nightmares stemming from social media, it is not enough to just trust your employees to have common sense when it comes to the reputation of your business.
• Create a social media policy that details what is appropriate for employees to share about your business and enforce it. Include appropriate use of your business name when expressing personal opinions, the sharing of sensitive information, what is OK to post on social media in a company uniform, and whether company equipment can be used for personal social media.
• If you authorize employee access to post to your business social media accounts from their personal devices and they leave their device open, anyone with access to their device could pick up their phone, tablet, computer etc. We’ve all seen “hacked” accounts where someone picks up someone else’s phone and posts a status or a sends a tweet that is uncharacteristic of the user or inappropriate. That could potentially be damaging to your brand if it happened to your company account.
• Be careful about who is allowed to access your company social media sites and make sure they’re trained on appropriate use.

Phishing

• One of the biggest ways attackers gather information is through phone impersonation. They may call and say they’re from a security company and need to verify information before they can fix something. Email phishing is another popular way to access systems. The most common form is through requests for surveys to be completed. They promise prizes and rewards for filling out information, which entices employees to click.
  • Make sure your employees know not to share sensitive information over the phone or by email.
  • Send mock phishing emails so you can see where the weak points are within your own organization.
• Spearphishing is a form of phishing that is hyper targeted. An example of this would be an attacker sending an email meant to look like it’s coming from you requesting sensitive information from your employees. For example, YourName@gmail.com sends your employees an email saying you got locked out of your normal account and need them to send you passwords or other information.
• Ensure your employees understand you will never ask for sensitive information over email.

Physical Threats

• Not all threats come through email. Attackers sometimes leave thumb drives or CDs in places they know employees will find them. They are often labeled things like “salary information” or “sensitive” to try to entice people to put them in machines.
• Train all employees to never insert anything into company equipment without knowing where it came from.

Humans tie all of these threats together. Humans are vulnerable and the easiest access point into your business. You can pay for a firewall to protect your systems against malware, but there’s no way to pay to keep a curious employee from clicking on a phishing scam that ends up in front of them. Training your employees and conducting preparedness exercises can help reduce your risk of cyber treats.