Being a year older and wiser doesn’t always mean avoiding old mistakes. The point-of-sale (POS) breaches that plagued retailers in 2014 are back with a vengeance this year, so far compromising data from health insurance agencies, food chains Zoup and Natural Grocers and causing third-party POS device manufacturer NEXTEP to launch a security investigation into its own devices.
The continued success of these breaches is disheartening for retailers. Most, if not all, of the companies affected had basic security measures in place when the breaches occurred and no doubt believed they were doing everything right. However, Dell discovered in its 2014 Global Technology Adoption Index (GTAI) that retail is the only industry in which companies are devoting more financial resources to compliance-related security concerns than to hacker-relatedconcerns, a narrow and incomplete focus that could leave the door wide open for a successful breach.
The new 2015 Dell Security Annual Threat Report identified a few disturbing new data points about the recent slew of POS attacks:
1) POS malware and attacks are proliferating.
Dell SonicWALL Threat Researchers created over three times as many POS-specific malware countermeasures in 2014 compared with 2013.Cyber criminals are launching a broader front against retailers, leading to the dramatic and very visible increase in attacks on retailers that we witnessed last year.
2) The U.S. retail industry is the biggest target.
The majority of attacks Dell identified last year were targeted at American retailers. Mega-companies Home Depot and Target famously experienced the largest POS breaches in history, and others, including Michael’s and Staples, were also victims of the digital bloodbath that took place throughout the year.
3) POS attacks are evolving.
Dell SonicWALL threat researchers identified new breeds of POS malware tactics in 2014, including memory scraping and the use of encryption to avoid detection from firewalls. Having up-to-date network security infrastructure and continuous monitoring is becoming more important than ever.
One of the most worrisome data points revealed in last year’s GTAI showed that employee security training is lacking across all industries. Fifty-six percent of companies admit not all of their employees are aware of security rules. This can expose companies to threats ranging from the accidental sharing of sensitive data to the provision of unrestricted system access for vendors who might be compromised themselves.
It may seem like companies are fighting a losing battle against POS breaches, but the truth is, even the largest breaches of 2014 could have been avoided with the right measures in place. There are a few best practices retailers should follow to prevent additional POS breaches in 2015:
- Install next-generation firewalls (NGFWs) between network segments and in the business-to-business portal. NGFWs go beyond the port/protocol inspection and blocking offered by traditional firewalls to also provide application-level inspection, intrusion prevention, and intelligence from outside the firewall.
- Minimize mobile threats by enacting a full mobility security plan that includes basic limitations on the mobile devices themselves (password and timeout requirements, software updates, and policies against jailbroken devices and downloads from untrusted developers) and at the data level (appropriate access levels for employees, automatic encryption, and ongoing employee training).
- Use deep-packet inspection on all traffic at every node on every segment and automatically investigate anomalies.
- Separate groups and zones to keep attackers who have gained network access from penetrating further.
- Institute two-factor authentication to protect against compromised mobile devices.
- Keep the operating systems (OS) patched and all software updated.
- Isolate the POS system from the rest of your network and restrict terminal activity (no web browsing).
- Adopt a security policy that trusts nothing (network, resources, etc.) and nobody (vendors, franchisees, internal personnel, etc.), then add explicit exceptions.
- Enforce email security to block malware in spam and phishing attacks.
Finally, make security training a significant part of employee onboarding and ongoing communications. No data is truly secure unless the people who interact with it every day understand acceptable usage rules and how to respond in the event of a breach.
If some good can come from 2014’s multitude of POS breaches, it should be that it inspires retailers to re-examine their approaches to security. Go beyond basic compliance needs and proactively protect your infrastructure from hackers. With the wealth of security resources available to combat both traditional and emergent threats, the “year of POS breaches” should soon feel like a footnote in the history books.