You are here
Recent cyberattacks that have received the greatest media and public attention have mostly been perpetrated against larger companies, but even the smallest convenience store operators are vulnerable, too.
Information security is critically important. There are two approaches to securing a convenience store retailer's information: defensive and offensive.
The defensive approach includes configuring firewalls, coding to standards, and implementing software that is “set and forget,” such as antivirus or software to ensure password strength. In essence, you check all the information security “boxes.”
The offensive approach — and the preferred approach — is to think like a hacker; to try and break into your own systems. This is how operators find out how people have been hacking into similar systems.
Once this step is completed, the offensive approach to information security requires taking several additional steps. Here are a few items on your technology to-do list:
Know where all your data is. Identify who has access to it. Classify your data as high or low risk. Bring in an outside firm to objectively evaluate and understand your systems and processes. And then, create a plan and a specific scope of work so you know what technology partners you need.
PROCESSES & PROTOCOLS
A successful information security function relies heavily on solid governance. Companies need a framework for evaluating third-party providers of information technology development and security, plus they need to ensure that departments inside their organizations follow strict processes and protocols when making technology decisions or purchases.
Part of this governance process is simply asking the right questions. Managers and executives should set up a meeting with their technology team and ask a number of questions: Do we have an information security function? To whom does it report? What does our security function look like? How do we vet third-party technology providers? How do we know they are doing things the right way? Do we have gateways and forced check-ins in order to get something done, such as a code review before any new websites are launched?
This sort of dialogue is key to ensuring c-store retailers don’t stall in a quest to provide the highest level of security for the company and its customers.
DON’T REINVENT THE WHEEL
Next, take a look at the best information security practices of entities that do it well. There’s no point in reinventing the wheel if effective practices are already being utilized.
The Building Security in Maturity Model is another great place to start. It is a software security measurement framework that helps organizations compare their software security to other organizations, enabling them to take the necessary steps to improve.
A great example of an industry-specific security measure is the concept of vaulting, practiced by many convenience stores and retailers in which credit card numbers from transactions or loyalty programs are never onsite. They are placed in an offsite “vault” that protects the information from hackers.
Examples from sectors outside retailing might be helpful and relevant, as is learning from missteps other organizations take.
PERFECTION ISN’T REQUIRED
The most common mistake I see is when retail managers get overwhelmed and the process becomes too cumbersome and too intimidating. So, managers ignore the entire issue of information security and hope nothing happens.