Recent cyberattacks that have received the greatest media and public attention have mostly been perpetrated against larger companies, but even the smallest convenience store operators are vulnerable, too.
Information security is critically important. There are two approaches to securing a convenience store retailer's information: defensive and offensive.
The defensive approach includes configuring firewalls, coding to standards, and implementing software that is “set and forget,” such as antivirus or software to ensure password strength. In essence, you check all the information security “boxes.”
The offensive approach — and the preferred approach — is to think like a hacker; to try and break into your own systems. This is how operators find out how people have been hacking into similar systems.
Once this step is completed, the offensive approach to information security requires taking several additional steps. Here are a few items on your technology to-do list:
Know where all your data is. Identify who has access to it. Classify your data as high or low risk. Bring in an outside firm to objectively evaluate and understand your systems and processes. And then, create a plan and a specific scope of work so you know what technology partners you need.
PROCESSES & PROTOCOLS
A successful information security function relies heavily on solid governance. Companies need a framework for evaluating third-party providers of information technology development and security, plus they need to ensure that departments inside their organizations follow strict processes and protocols when making technology decisions or purchases.
Part of this governance process is simply asking the right questions. Managers and executives should set up a meeting with their technology team and ask a number of questions: Do we have an information security function? To whom does it report? What does our security function look like? How do we vet third-party technology providers? How do we know they are doing things the right way? Do we have gateways and forced check-ins in order to get something done, such as a code review before any new websites are launched?
This sort of dialogue is key to ensuring c-store retailers don’t stall in a quest to provide the highest level of security for the company and its customers.
DON’T REINVENT THE WHEEL
Next, take a look at the best information security practices of entities that do it well. There’s no point in reinventing the wheel if effective practices are already being utilized.
The Building Security in Maturity Model is another great place to start. It is a software security measurement framework that helps organizations compare their software security to other organizations, enabling them to take the necessary steps to improve.
A great example of an industry-specific security measure is the concept of vaulting, practiced by many convenience stores and retailers in which credit card numbers from transactions or loyalty programs are never onsite. They are placed in an offsite “vault” that protects the information from hackers.
Examples from sectors outside retailing might be helpful and relevant, as is learning from missteps other organizations take.
PERFECTION ISN’T REQUIRED
The most common mistake I see is when retail managers get overwhelmed and the process becomes too cumbersome and too intimidating. So, managers ignore the entire issue of information security and hope nothing happens.
Too many managers say “the system is too old” or “we could never do that” or “I don’t even know where to begin.” Don’t let “perfect” be the enemy of the greater good.
Here is some advice to reflect on when embarking on this security journey:
- It’s all about continuous improvement — start where you are and get better.
- Don’t get discouraged. Keep the momentum going.
- Break through the politics and get people on board.
- Most mistakes are not technical; they are management errors.
To avoid these mistakes, consider the following:
- Always look at how to control scope; you don’t have to do it all yourself.
- Get experts in the room; do your due diligence.
- Take necessary precautions — you can’t afford not to.
- Do what is needed and then take it to the next level. Think like a hacker.
ALL ABOUT PEOPLE
Don’t forget that technology is built by and for people. If a human being created the technology, a human being can hack into it. So, the most effective solution is to have a real person take what is known about the system and try to break it from the inside out. This clear box approach requires skill and expertise that c-store retailers may or may not have on their technology team.
Second, a culture of staff education is important. The technology is for them. Explain information security initiatives to employees via lunch-and-learns and other internal communications efforts, and provide the information in a simple way. Retailers will be surprised at how willing employees are to follow the rules and ask questions when doing something technology related.
Finally, commit. Senior management, not just compliance personnel, must be on board for an information security initiative to be successful, just as they must be for a business’ other important initiatives.
Editor’s note: The opinions expressed in this article are the author's and do not necessarily reflect the views of Convenience Store News.