This blog is part of the RH-ISAC holiday guidance blog series. For more blogs in this series, visit https://www.rhisac.org/blog/.
There are plenty of things to be concerned about in the world of cybersecurity. There have been many tales of failure and frustration, and more than enough high-profile attacks and breaches to keep retail and hospitality cybersecurity executives and practitioners up at night. But there are also plenty of success stories of cybersecurity teams thwarting an attack or threat.
The security landscape is constantly evolving, as the game of cat-and-mouse between defenders and attackers grows ever more complex. While the game is never won, and no cybersecurity professional can ever consider their organization’s data truly and entirely safe, the retail and hospitality verticals have made significant progress over recent years. Here are several positive trends we’ve seen across the industry. Hopefully you find yourself nodding along with most of these!
- Recognition of the Problem
This, pure and simple, is the single most encouraging trend in the business world overall, and the retail and hospitality. Following several high-profile and very costly breaches of retail and hospitality environments, the industry has begun to devote the necessary attention to the problem and is taking the time to understand the risks and build dynamic and proactive security programs.
Hand-and-hand with this recognition has been the adoption of multifaceted approaches by many retail partners, including financial and payment card sector, and vendors and suppliers. One obvious example of this has been the adoption of EMV chip-enabled cards, allowing American payment processing outlets to catch up with Europe (although the US has not fully moved to chip and PIN).
From payment processing apps and websites to vendor suppliers to credit card companies, there’s been a wholistic hardening across nearly every corner of the retail sector. This is not a free pass to relax or assume that everyone else has already done the hard work for us: in fact, even these improvements are reminders that we can never rest on our laurels, because attackers don’t simply give up and go home when we lock one door: they double their efforts to find a window. The widespread adoption of chip cards has led to attackers finding new attack vectors, like digital skimmers. Nevertheless, the improvement industry-wide with regard to cybersecurity is heartening.
- Investment in Prevention
Given the recognition of the problem, it should come as no surprise that investment in cybersecurity has risen as a result: as high-profile and exceedingly expensive breaches have become a regular occurrence lately, retail and hospitality management has realized that in most cases, an ounce of prevention is truly worth a pound of cure, and it’s in the long run cheaper to try to stop attacks before they inflict serious damage, than try to fix the problems that spring from the attacks.
This investment spans technology, process and people. Technology was perhaps the first step: following several high-profile attacks, there was substantial investment in a range of security technologies and capabilities. From improved security devices to expanded threat intelligence and vulnerability management capabilities, the retail and hospitality sector as a whole modernized its security posture to address a multitude of threats. Along with those improvements, we’ve seen hardening of security policies, from adoption of standards such as PCI and NIST, to simpler programs like adopting stringent password policies.
And finally, we’ve seen increased investment in security talent. The industry has recognized that having shiny new boxes plugged into its network or a robust security program written out on paper only goes so far: it needs experienced, expert staff to manage their security devices and implement security programs. More and more major retail and hospitality organizations have robust cybersecurity departments, staffed by experienced security professionals. The three facets in concert produce drastically improved security.
- Participation in Information Sharing Communities and Organizations
Finally, one of the most encouraging trends in recent years has been the increased sharing of information and strategies within industries. While competitors, organizations have realized that they are each other’s’ best sources of information against their shared threats. In most cases, this is facilitated by ISACs, or Information Sharing and Analysis Centers. Within the retail space, the Retail & Hospitality ISAC (RH-ISAC) serves to connect the security teams of its member organizations to work together on challenges, allowing teams that face similar threats to improve through collaboration. ISACs provide technical bulletins on the latest threats reported by their members, facilitate conferences and instructional meetings, and collaborates with federal cybersecurity authorities through participation in the Department of Homeland Security’s (DHS) Cyber Information Sharing and Collaboration Program (CISCP).
RH-ISAC will be sharing tips throughout the holiday season in a holiday guidance blog series. Below are holiday guidance blogs already posted.
Visit the RH-ISAC blog for more industry relevant blogs.