NRF's BIG Show 2017: Small Retailers Need Risk-Based Approach to Cybersecurity

Small businesses need to assess which data is most at risk from a cyberattack, and then plan their security accordingly and avoid expending resources to protect assets that don’t need it.

Ethan Steiger, vice president for information security for Domino’s Pizza, explained how small businesses, such as Domino’s thousands of franchised stores, should approach security during a session at NRF Retail’s BIG Show 2017 in New York City.

Steiger related a story about a high school friend of his who had purchased a Trans-Am and taken his radio out of the car and placed it in a metal box. The friend explained that thanks to cryptography, the radio would only work with that particular Trans-Am. Upon returning to the car, the pair realized the car had been stolen and the security for the radio had been worthless. “May he should have focused his anti-theft attention on the car,” Steiger said. “That was the true asset.”

Information security products and expertise is expensive, Steiger noted, and small to medium-sized businesses tend to spend less time and money on network security than larger enterprises. That makes them easier targets for cybercriminals, he said. What can small businesses do to prepare themselves for cyberattacks?

Make a Cybersecurity Protection Plan

Small businesses need to upgrade their protection via technology but also should try to “break the kill chain,” Steiger said, referring to the structure of a cyberattack. Steiger noted that hackers sometimes spend weeks or months conducting reconnaissance on a target before attacking, and that victims sometimes don’t know an attack has occurred until after it has happened and third parties have alerted them.

Companies also need to understand which data is at risk. “Don’t protect information that isn’t valuable,” Steiger said.

Training to combat phishing and social engineering are also critical, and all employees need to understand their role in cybersecurity, he added.

Small businesses should also conduct a cybersecurity audit, Steiger recommended. “Most small businesses really can’t build an appropriate budget at a high level to protect their enterprises,” he said. Therefore, it makes a lot of sense to hire a third party to help them identify their risks.

Why do such steps matter? Steiger noted that companies that suffer cyberattacks face fines, lawsuits from customers and brand damage. He also noted that small businesses that are targeted with ransomware can face losses of $35,000 to $50,000 per incident.

Additionally, he said, SMBs are typically the weakest link in “chain of trust” attacks that target SMBs’ partners. Small firms often give partners access to their systems and then forget about that, Steiger said, which can create vulnerabilities.

Many retailers also buy point-of-sale systems from vendors, he said, which may be compromised before they are even installed in a store.

Taking a Risk-Based Cybersecurity Approach

In the face of this, what can SMBs do? One thing business leaders can do, Steiger said, is scrutinize the security decisions IT directors and managers make. Often, he said, information security decisions are based on a very limited and uncrutinized subset of information sources as part of an ad-hoc security approach.”

Business leaders should challenge IT staff members to explain why they want the security IT they have implemented, he said, adding that companies should look to technology solutions that protect data that needs to be protected.

Firms need to determine what levels of risk they want to assume in cybersecurity, and then design security round that, Steiger said. They also need to explore their information security and technology to determine where gaps might be and what needs to be patched.

Small businesses should also turn to third-party resources and solutions providers. Steiger noted that there is a wealth of information available online, such as the National Institute of Standards and Technology’s small business information security guide.

Firms need to conduct inventories to determine the value of their information and what needs to be protected. Once they do that, they can take steps to protect their data by backing it up in the cloud or with physical copies. Protection also involves physical elements such as firewalls, Steiger noted.

However, despite efforts to protect data, breaches will occur, Steiger cautioned, and small businesses should have a plan for how to respond. “How are you going to engage your organization when a breach happens?” he said. “What do we need to do to get back to a normal operational state?

Businesses need to figure out which legal authorities and third parties they need to consult with in the event of a breach, and which executives are responsible for the response, including communicating with customers and the public via social media.

“Typically, when an event happens, things move very quickly, and you don’t want to be stuck with, ‘What do we do now?’” he said.

Steiger also recommended that small businesses explore purchasing cyberinsurance to mitigate risks, reimburse losses associated with attacks, keep operations running and cover potential legal fees. Such policies also force businesses to produce a written information security plan.

“The cost of an insurance plan can save you a lot of heartache,” he said.

Read articles and check out videos from BizTech’s coverage of NRF Retail’s BIG Show 2017 here.