Risky Business
When it comes to securing their property, retailers buy the best of alarms to prevent break-ins, and install video camera surveillance to curb shoplifting. That's the easy part. But what about "invisible" property like customer credit-card data or private company information? Retail giant Best Buy learned its lesson the hard way, when it had to close down its wireless cash registers last year after a hacker possibly accessed a customer's credit-card information.
"If you lose consumer confidence by compromising customer information, you will lose business because people won't shop where their information is compromised," said Cate Quirk, research analyst specializing in application security for AMR Research in Boston.
But even if a convenience store isn't using wireless technology, all the firewalls in the world won't save a company from a tornado or fire. If some natural disaster takes down the headquarters or data center, what happens to all the information? And turning inward, how much trust can a company give to its employees not to tamper with data or access confidential information? And, of course, there is always the issue of internal shrink.
With all these issues looming, and mistakes made by retailers in the past, c-store owners must assess how much risk their companies can afford — truth is, they've got a lot to lose.
The Outsourcing Option
In response to these concerns, some c-store retailers purchase network security applications and manage them in-house, while others choose outsourcing to an application service provider (ASP).
Fred Garrison Oil Co. turned to StoreReport.com by ScotSystems Inc., based in Ridgeland, Miss. — an ASP specifically designed for the gasoline and convenience industry — to secure its network.
"StoreReport.com is my data center," said Phil Kenley, controller for Fred Garrison Oil, operator of six convenience stores and a 60-million-gallon-per-year oil jobbership. "They do all the backup, and my data is more secure. Right now, if my building burned down I would lose everything except my data, because nothing resides on my computer." Additionally, with headquarters in Plainview, Texas, harsh weather conditions are another concern. "We are out in tornado country," said Kenley. "We could have our entire operation wiped out, but our data is always safe."
Another outsourcing advantage is its minimal cost compared to purchasing individual applications and hardware. StoreReport.com is available for an average monthly fee of $199 per individual store, and in addition to handling the backup responsibilities, the company offers 24-hour phone support and users can access their files from any standard computer with Internet access.
"We were paying thousands of dollars a year for IBM support for the systems we had, and now we pay no support for hardware," noted Kenley. "Also, we increased our business 20 percent, going from 50 million gallons per year to 65 without having to add more employees at the head office to enter all the data."
Further, pulling in the reins on employee access to company files is another perk Kenley gained from StoreReport.com. Each employee has his or her own user name and password, and the network allows management to grant access to certain areas and deny access to others for each employee.
"Customized user access is one of the best features as far as security goes," explained Kenley. "For example, the girl who does the accounts payable can't access the payroll accounts. I can determine who can access what. I can have it where anybody in the company can change an employee's address, but they can't access compensation files."
A plan to add another access control program from StoreReport.com is on the horizon for Garrison Oil. The company will soon begin using Convenience Store Pricebook to maintain prices at its convenience stores in one central location. "This will also be restricted to one or two people in the company who will be able to change prices," noted Kenley.
Outsourcing in Space
Similar to StoreReport.net, McLean, Va.-based Spacenet provides a secure network via outsourcing. But Spacenet takes security into a different realm by transcending the Internet and opting for satellite speed. And Cumberland Farms Inc., headquartered in Canton, Mass., opted for this network four years ago to handle the transactions from its more than 600 stores.
"We chose the satellite network for speed, additional connect time and flexibility," said John Carroll, CIO of Cumberland Farms. "The credit-card transactions go through much faster over the satellite, and the customer-service aspect is the best thing because now pay-at-the-pump time is reduced from 15 to 20 seconds, down to only five seconds."
In addition to speed, the satellite system offers data security. Out of 650 Cumberland Farms stores, 620 are connected to Spacenet's VSAT satellite network, and transfer information directly from the pump or point-of-sale (POS) terminal in real time.
"We feel very secure when processing information at the POS," said Carroll. The information is encrypted at the POS and sent to one of the Spacenet hubs around the country, using a "military-grade frequency hopping technique," according to Fritz Stolzenbach, spokesperson for Spacenet. He explained the transmitting and receiving hardware utilizes a scrambling and unscrambling of algorithms sent across a wide range of frequencies in a random fashion. And unless a person has Spacenet software, intercepted or received information cannot be translated. Once received at the hub, it is sent using a T1 connection to the company's headquarters.
Similar to StoreReport.net, there is a monthly fee per store for the monitoring of traffic at the hub, and the hardware is included in the fee. "Spacenet has a service company that went into our stores and installed an indoor unit, like a giant modem, to hook the store services into, such as the POS system."
Of course, Cumberland still protects its PCs in the stores and at the headquarters with Norton anti-virus software, and in six to 12 months the company would like to add Internet and e-mail to each of its stores. But because of the additional security concerns required as a result, the company is moving methodically, reported Carroll.
"Once you give the stores e-mail, the traffic will be coming back and forth and someone can infect your systems. We would probably handle it with a VPN [virtual private network] and a firewall at our headquarters."
An additional cost savings Cumberland enjoyed through the switch to satellite was the elimination of approximately 1,000 phone lines, which as Carroll put it, "basically paid for the satellite service."
Managing Its Own
Outsourcing is a viable option, especially for smaller chains, according to Pete Abell, research director of global retail at AMR. "Outsourcing is a good alternative because many [convenience stores] are unable to keep up with the constant changes necessary, and the constant updating of their security needs."
However, others choose to handle data security in-house. Wawa Inc., based in Wawa, Pa., switched from a dial-up network and began installing Enterasys Networks' XSR-1805 security routers — a frame-relay wide area network (WAN), and both a wired and wireless local area network (LAN) — with complete rollout to its 560 stores expected by October of this year.
"At some points we were not doing a good job staying proactively ahead," explained Martin Maglio, Wawa's director of IT architecture. "But now we are more proactive than reactive."
To ensure security at its headquarters — the point where the information is gathered and contained — Wawa now runs an Aurorean VPN from Andover, Mass.-based Enterasys, with a CheckPoint firewall in front of it. Additionally, the company has virus protection software on all of its desktop machines as well as within the firewall, according to Maglio.
The POS system is also an important aspect to secure. At Wawa, each of the stores sends batches of information to headquarters three times a day, which includes POS transaction data. "We do the encryption on our point-of-sale system, but it is written and supported by Triversity," noted Maglio.
And as a bonus to its newfound security, the new Enterasys routers have also provided Wawa stores with speed. "We put our credit authorizations over the dedicated network, and it saves 23 seconds per transaction," said Maglio. "Before it was done through the dial-up network, which was taking a long time." The actual transaction time dropped from 25 seconds to about five, he reported. Also, the XSR's traffic prioritization features allow the credit-card authorizations to take precedence over other network traffic.
The Layering Approach
Operators at Favorite Markets, a convenience store chain headquartered in Dalton, Ga., implement several levels of security. The company utilizes a VPN, firewall protection, anti-virus software and a proxy server.
"I believe in having several layers of protection," said Larry Taylor, system administrator at Favorite Markets. "We never had downtime or hacking before, but I think that was just a matter of luck. Eventually someone would have gotten around to us and made us a target. This was definitely something that needed to be addressed."
The company began installation of Atlanta-based FusionPoint Technology's SonicWall TELE3 firewall/VPN appliances in August 2002. The technology is currently deployed at 112 stores across its network, with 28 additional locations in the installation process. Favorite Markets also installed SonicWall's Pro 300 for its headquarters, the primary point to which all of the stores send information.
"FusionPoint installed the Pro 300 at our headquarters, which took about two-and-a-half hours to get everything reconfigured, and then went out to one of our stores and installed the TELE3," said Taylor. After installing the first store together, the other sites were installed by Favorite Markets' technicians, who were trained by Taylor to set up the remote sites, which can now be done in minutes, he reported.
The TELE3 is both a VPN and a firewall, but the company also added anti-virus software on top of it. "We chose these systems because we can put in a TELE3 and it will create a secure connection," explained Taylor. "Our only security before was a dial-up connection. Now we have total firewall protection with no back doors or side entrances into the network."
So what's the next step in network security? A movement toward wireless technology, according to Pete Abell of AMR. "Cigarettes are a high percent of sales, and this area is very likely to be tracked on a wireless basis using radio frequency," he noted. "[Convenience stores] will need security on the readers, which can also track employee theft on this level."
As for now, convenience stores need to focus on the importance of securing their networks, and the consequences of ignoring this need. As Taylor put it, "I believe anyone who does not have firewalls or some type of proxy server is living on borrowed time."
"If you lose consumer confidence by compromising customer information, you will lose business because people won't shop where their information is compromised," said Cate Quirk, research analyst specializing in application security for AMR Research in Boston.
But even if a convenience store isn't using wireless technology, all the firewalls in the world won't save a company from a tornado or fire. If some natural disaster takes down the headquarters or data center, what happens to all the information? And turning inward, how much trust can a company give to its employees not to tamper with data or access confidential information? And, of course, there is always the issue of internal shrink.
With all these issues looming, and mistakes made by retailers in the past, c-store owners must assess how much risk their companies can afford — truth is, they've got a lot to lose.
The Outsourcing Option
In response to these concerns, some c-store retailers purchase network security applications and manage them in-house, while others choose outsourcing to an application service provider (ASP).
Fred Garrison Oil Co. turned to StoreReport.com by ScotSystems Inc., based in Ridgeland, Miss. — an ASP specifically designed for the gasoline and convenience industry — to secure its network.
"StoreReport.com is my data center," said Phil Kenley, controller for Fred Garrison Oil, operator of six convenience stores and a 60-million-gallon-per-year oil jobbership. "They do all the backup, and my data is more secure. Right now, if my building burned down I would lose everything except my data, because nothing resides on my computer." Additionally, with headquarters in Plainview, Texas, harsh weather conditions are another concern. "We are out in tornado country," said Kenley. "We could have our entire operation wiped out, but our data is always safe."
Another outsourcing advantage is its minimal cost compared to purchasing individual applications and hardware. StoreReport.com is available for an average monthly fee of $199 per individual store, and in addition to handling the backup responsibilities, the company offers 24-hour phone support and users can access their files from any standard computer with Internet access.
"We were paying thousands of dollars a year for IBM support for the systems we had, and now we pay no support for hardware," noted Kenley. "Also, we increased our business 20 percent, going from 50 million gallons per year to 65 without having to add more employees at the head office to enter all the data."
Further, pulling in the reins on employee access to company files is another perk Kenley gained from StoreReport.com. Each employee has his or her own user name and password, and the network allows management to grant access to certain areas and deny access to others for each employee.
"Customized user access is one of the best features as far as security goes," explained Kenley. "For example, the girl who does the accounts payable can't access the payroll accounts. I can determine who can access what. I can have it where anybody in the company can change an employee's address, but they can't access compensation files."
A plan to add another access control program from StoreReport.com is on the horizon for Garrison Oil. The company will soon begin using Convenience Store Pricebook to maintain prices at its convenience stores in one central location. "This will also be restricted to one or two people in the company who will be able to change prices," noted Kenley.
Outsourcing in Space
Similar to StoreReport.net, McLean, Va.-based Spacenet provides a secure network via outsourcing. But Spacenet takes security into a different realm by transcending the Internet and opting for satellite speed. And Cumberland Farms Inc., headquartered in Canton, Mass., opted for this network four years ago to handle the transactions from its more than 600 stores.
"We chose the satellite network for speed, additional connect time and flexibility," said John Carroll, CIO of Cumberland Farms. "The credit-card transactions go through much faster over the satellite, and the customer-service aspect is the best thing because now pay-at-the-pump time is reduced from 15 to 20 seconds, down to only five seconds."
In addition to speed, the satellite system offers data security. Out of 650 Cumberland Farms stores, 620 are connected to Spacenet's VSAT satellite network, and transfer information directly from the pump or point-of-sale (POS) terminal in real time.
"We feel very secure when processing information at the POS," said Carroll. The information is encrypted at the POS and sent to one of the Spacenet hubs around the country, using a "military-grade frequency hopping technique," according to Fritz Stolzenbach, spokesperson for Spacenet. He explained the transmitting and receiving hardware utilizes a scrambling and unscrambling of algorithms sent across a wide range of frequencies in a random fashion. And unless a person has Spacenet software, intercepted or received information cannot be translated. Once received at the hub, it is sent using a T1 connection to the company's headquarters.
Similar to StoreReport.net, there is a monthly fee per store for the monitoring of traffic at the hub, and the hardware is included in the fee. "Spacenet has a service company that went into our stores and installed an indoor unit, like a giant modem, to hook the store services into, such as the POS system."
Of course, Cumberland still protects its PCs in the stores and at the headquarters with Norton anti-virus software, and in six to 12 months the company would like to add Internet and e-mail to each of its stores. But because of the additional security concerns required as a result, the company is moving methodically, reported Carroll.
"Once you give the stores e-mail, the traffic will be coming back and forth and someone can infect your systems. We would probably handle it with a VPN [virtual private network] and a firewall at our headquarters."
An additional cost savings Cumberland enjoyed through the switch to satellite was the elimination of approximately 1,000 phone lines, which as Carroll put it, "basically paid for the satellite service."
Managing Its Own
Outsourcing is a viable option, especially for smaller chains, according to Pete Abell, research director of global retail at AMR. "Outsourcing is a good alternative because many [convenience stores] are unable to keep up with the constant changes necessary, and the constant updating of their security needs."
However, others choose to handle data security in-house. Wawa Inc., based in Wawa, Pa., switched from a dial-up network and began installing Enterasys Networks' XSR-1805 security routers — a frame-relay wide area network (WAN), and both a wired and wireless local area network (LAN) — with complete rollout to its 560 stores expected by October of this year.
"At some points we were not doing a good job staying proactively ahead," explained Martin Maglio, Wawa's director of IT architecture. "But now we are more proactive than reactive."
To ensure security at its headquarters — the point where the information is gathered and contained — Wawa now runs an Aurorean VPN from Andover, Mass.-based Enterasys, with a CheckPoint firewall in front of it. Additionally, the company has virus protection software on all of its desktop machines as well as within the firewall, according to Maglio.
The POS system is also an important aspect to secure. At Wawa, each of the stores sends batches of information to headquarters three times a day, which includes POS transaction data. "We do the encryption on our point-of-sale system, but it is written and supported by Triversity," noted Maglio.
And as a bonus to its newfound security, the new Enterasys routers have also provided Wawa stores with speed. "We put our credit authorizations over the dedicated network, and it saves 23 seconds per transaction," said Maglio. "Before it was done through the dial-up network, which was taking a long time." The actual transaction time dropped from 25 seconds to about five, he reported. Also, the XSR's traffic prioritization features allow the credit-card authorizations to take precedence over other network traffic.
The Layering Approach
Operators at Favorite Markets, a convenience store chain headquartered in Dalton, Ga., implement several levels of security. The company utilizes a VPN, firewall protection, anti-virus software and a proxy server.
"I believe in having several layers of protection," said Larry Taylor, system administrator at Favorite Markets. "We never had downtime or hacking before, but I think that was just a matter of luck. Eventually someone would have gotten around to us and made us a target. This was definitely something that needed to be addressed."
The company began installation of Atlanta-based FusionPoint Technology's SonicWall TELE3 firewall/VPN appliances in August 2002. The technology is currently deployed at 112 stores across its network, with 28 additional locations in the installation process. Favorite Markets also installed SonicWall's Pro 300 for its headquarters, the primary point to which all of the stores send information.
"FusionPoint installed the Pro 300 at our headquarters, which took about two-and-a-half hours to get everything reconfigured, and then went out to one of our stores and installed the TELE3," said Taylor. After installing the first store together, the other sites were installed by Favorite Markets' technicians, who were trained by Taylor to set up the remote sites, which can now be done in minutes, he reported.
The TELE3 is both a VPN and a firewall, but the company also added anti-virus software on top of it. "We chose these systems because we can put in a TELE3 and it will create a secure connection," explained Taylor. "Our only security before was a dial-up connection. Now we have total firewall protection with no back doors or side entrances into the network."
So what's the next step in network security? A movement toward wireless technology, according to Pete Abell of AMR. "Cigarettes are a high percent of sales, and this area is very likely to be tracked on a wireless basis using radio frequency," he noted. "[Convenience stores] will need security on the readers, which can also track employee theft on this level."
As for now, convenience stores need to focus on the importance of securing their networks, and the consequences of ignoring this need. As Taylor put it, "I believe anyone who does not have firewalls or some type of proxy server is living on borrowed time."