What Happens When the Lights Go Out?

Background

Driven by the high-profile data security breaches at global retail brands (Target, Michaels, etc.) over the past 10 years, directors across all retail verticals have elevated data security to a top priority of their organizations.  As a result, maintaining the confidentiality and integrity of PCI, PII, and sensitive corporate data has become a primary focus of retailers’ cybersecurity teams.  While this development is a positive trend in protecting retail brand reputations, other aspects of cybersecurity have received less attention in recent years – one of those being the operational availability and integrity of business-critical systems.

Why It Matters

Traditionally, there has been a significant focus on maintaining these systems.  A driving factor for this was that  it was easier to identify and evaluate these systems:

  • Customer- and store-facing applications – such as POS systems and websites – that enable sales and store operations
  • Back-office applications – such as ERP systems – that ensure continuous operations across an organization’s core business processes

As modern organizations have embraced a “lean methodology,” the role of external service providers and automation have become more important components of business operations. This exercise in optimization has blurred the lines between internally and externally managed systems, and as a result, increased the complexity in monitoring and maintaining them – an issue that many organizations have failed to address.
Interruptions and degradations to the availability and integrity of business critical systems represent significant risks to many, if not most, retailer’s operations:

  • Merchant Acquirer Downtime: For nearly all merchants, electronic payment processing represents the largest method through which product is monetized.  For those merchants that leverage a single merchant acquiring relationship, disruption of service at the merchant acquirer (through a Distributed Denial of Service attack, for example) represents an immediate, critical impact to company cash flow.  Just a few hours of downtime in the ability to process payments can cost merchants millions of dollars in lost sales and even more in brand reputation.
  • Inventory Monitoring Inaccuracies: New Internet of Things (IoT) monitoring devices and the analytics solutions for inventory management behind them allow retailers to optimize and reduce inaccuracies in supply chain management.  This, however, has created a dependency on these solutions to maintain optimal levels of inventory to continue sales operations.  Attacks that interrupt or impede the performance of these devices (botnet software consuming all available compute or network resources, for example) prevent complete, accurate inventory data from arriving at retailers’ home offices.  Decisions then made upon incomplete and/or inaccurate data at scale can cause significant inventory overages or shortages, creating immediate downstream impacts.

While we only discuss these examples above, there are many more scenarios that represent similar levels of risk within any large merchant.  Acknowledging the risks that the operational integrities and availabilities of these systems pose is a key first step in charting a path forward to accurately mitigating these risks.

Where We Go from Here

By no means is this a “doom and gloom” scenario.  Many retailers have acknowledged these gaps and have addressed them accordingly within their cybersecurity strategies and operations.  However, for those that have yet to do so – and even for those retailers who believe they have done so – here are three initial steps that can be taken:

  1. Define a framework by which the business criticalities of all current and future IT systems are evaluated. You cannot enhance your cybersecurity strategy to address the issues outlined above without first understanding the full breadths of the issues.
  2. Enhance your cybersecurity strategy for (1) identifying and reacting to existing gaps and (2) proactively identifying the business criticality of and building controls to protect the integrity and availability of any new critical system added to your environment. The enhanced cybersecurity strategy should also include best practices for procurement groups when selecting an external vendor(s) to provide business-critical services.
  3. Review and enhance business continuity plans (BCPs) in the event of service interruption or degradation. This should be inclusive of both internally and externally managed critical systems and should integrate with any externally-defined BCPs.

By taking these initial steps above, retailers can begin to address some of the key risks that system service interruptions and degradations represent to their organizations.  From there, including these strategies as a pillar to your organization’s larger cybersecurity objectives going forward will allow your organization to effectively mitigate these risks now and in the future.
For further discussion, contact Patrick at [email protected].