Stephen Roostan, VP EMEA at Kenna Security explores how retailers can ramp up their security and block any potential cyber attacks.
The seemingly unstoppable rise of e-commerce means more customers are flocking online to fulfil their retail needs, 24 hours a day. Nearly every large retailer runs an online store where customers create accounts to fulfil their orders, and it’s this ubiquitous online presence that also attracts the attention of cybercriminals, who target customer data (addresses, emails, phone numbers), alongside payment details with a wide range of increasingly sophisticated attacks.
In December for instance, US retailer, Kmart, was reportedly the victim of a ransomware attack, reminding the industry that it remains extremely vulnerable to downtime, loss of revenue and the huge brand damage that can result from a breach. One of the key issues retailers face is that of vulnerability management and the pressure placed on IT teams to continually monitor, track and fix vulnerabilities across their infrastructure to protect the organisation from any potential cyberattack.
This can be a major undertaking for any retail business, but at the enterprise end of the scale, it may typically involve the management of tens of thousands of assets. Ranging from laptops, servers, routers and internet-connected printers to other endpoint devices, together these may be subject to millions of vulnerabilities that, potentially, must be identified and patched.
To manage the sheer volume of vulnerabilities, organisations often adopt a ‘divide and conquer’ process in deciding which to prioritise patch. The problem with this approach is that only 2% to 5% of all the potential vulnerabilities represent a real threat to the IT environment.
What’s more, widely used free tools, such as the Common Vulnerability Scoring System (CVSS), come with limitations that make it difficult to manage the sheer volume of vulnerabilities out there. To give this some context, 451 Research assessed that an organisation using CVSS v3 to score 2 million vulnerabilities could find that 660,000 are classified as ‘critical’. Without understanding the exact relative risk these vulnerabilities pose, prioritising which to address first requires considerable time and resources from security specialists to decide where to focus remediation efforts.
Taking a risk-based approach
Instead, many organisations are now adopting a risk-based approach to vulnerability management (RBVM), making it possible to apply meaningful metrics and evaluate potential risk factors. These platforms are designed to make the overall process much easier and more efficient for security and IT teams because they can assess and predict which vulnerabilities pose a real threat – based on actual risk to the organisation.
By employing predictive data science modeling and real-time threat intelligence feeds, RBVM platforms shift the emphasis of vulnerability management by enabling security teams to assess exactly how critical each threat is to each specific environment. In contrast to CVSS scoring that may identify huge volumes of vulnerabilities as ‘high risk’, RBVM solutions focus on evidence-based information so retail tech teams can focus on just the most critical vulnerabilities that represent a true risk at that moment in time.
As a result, adding the ability to confidently identify what to fix first – and what patches can be added at a later date – can help improve efficiency, and most important of all significantly reduce the cybersecurity risks presented by infrastructure vulnerabilities.
In practical terms, security teams using RBVM no longer have to put time and effort into creating extended patch lists for their IT colleagues to implement, because they understand the priorities required to protect their systems. And on the other hand, the IT teams can confidently focus on a clearly defined set of cybersecurity issues, knowing they can be remediated without wasting time and effort on vulnerabilities that aren’t important and without adversely impacting application or service uptime. No retailer wants to take customer-facing technology offline, even for a short period, and especially if the updates might not be required.
And because security and IT teams end up spending less time focused on the headline vulnerabilities that, when assessed for risk, don’t pose a particular threat, they can move on from constantly playing catch-up and focus on those areas of greatest risk. Time saved by using RBVM to plan and apply patching schedules can be devoted to other cybersecurity or IT tasks – for retailers with dynamic digital strategies, this can deliver an important dividend for optimising technology strategy as a whole.
Given the pressure the retail sector is currently facing, IT efficiency is paramount – but not at any cost. Balancing customer-facing and back office technology performance, usability and reliability with security is a delicate balancing act, but by intelligently dealing with vulnerabilities based on risk, retailers can focus on delivering a compelling customer experience in today’s highly competitive market.
Read the latest edition of PCR’s monthly magazine below: