Get All Access for $5/mo

Preventing Another Target Attack For retailers that don't want to be the next Target or Neiman Marcus, here are three tips they can do to protect themselves.

By Eric Basu Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Shutterstock

While Target's credit-card security breach continues to get ugly, the real alarming part, is they weren't alone. At least five other major retailers were also hit during the same holiday period. While the total number of records in the other attacks was one-tenth that of Target, the assailants still stole an average of 27,000 records per store using the same techniques.

The obvious question becomes, "What can be done by retail businesses to both detect and to protect against this specific threat?" To be fair, there are established Payment Card Industry (PCI) compliance standards that are designed to assist retailers in thwarting point-of-sale (POS) attacks like the ones inflicted recently. The controls, however, are worded in ways that are open to interpretation and often are not explicit enough in their language to ensure comprehensive security controls are effectively implemented.

While PCI provides an excellent starting point and also includes many traditional information security best practices, it cannot be expected as a mere standard -- to canvas the entirety of what it means to operate in a secure state as an organization. Other activities are required.

To that end, here are three other points retailers should implement above and beyond the minimum standard.

Related: Keeping Your Intellectual Property Safe and Sound

Individually lock down every single POS system component. A POS terminal or collector must be used solely for that single purpose -- to make transactions. So every other unnecessary service and process should be disabled. For example, the local or remote operator should not be able to browse the internet, receive emails or perform any action that is not a direct functional requirement for the POS to function. If the terminal does need connectivity to the Internet, the specific service protocols should be the only ones allowed to leave the system and the traffic should be encrypted.

Employ monitoring software for the overall network. There are next generation software solutions that effectively visualize network traffic, break down machine-to-machine connections by service protocols and allow filtering by machine, service or even internet destination. For example, a North American-based retailer using a payment processing partner from the same continent should not see outbound connections from a POS terminal to places like Russia, China or Brazil. If they do, the connection should be dropped and the security administrator should be notified of the machine initiating the connection.

Related: Why Your Small Business Is at Risk of a Hack Attack

Implement application-level security practices. Application security is an often overlooked layer of security in POS environments. Keeping such programs up to date with the latest versions and patches as well as performing penetration tests on both internal- and external-facing interfaces would have gone a long way to preventing the lateral movements the Target attackers were able to pull off in a short amount of time. Companies that develop in-house applications should also ensure they are designed securely from the get go, performing both static and active secure code reviews at every minor release. Furthermore, only authorized white-listed applications should be allowed to run and properly identified.

We have arrived at a state where cyber attacks against payment systems have become pervasive, massive, damaging and embarrassing. The boardroom rationalizations of the last decade no longer serve the business' profitability or survivability. Risk cannot simply be transferred to insurance like it could before -- at least not without serious damage to goodwill, customer-base trust and future lost revenue. Security controls are meaningful and next-generation ones are no longer just a necessary evil. They are business enablers necessary to protect profits.  

Related: Think China is the No. 1 Country for Hacking? Think Again.

Eric Basu

CEO of Sentek Global

Eric Basu is the CEO of Sentek Global, a provider of government and commercial cybersecurity and information technology solutions. 

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business Solutions

Right Now, You Can Get More Than 310 Hours of IT Training for Just $50

Stay ahead in tech with the CompTIA Super Bundle.

Business News

Here's What the CPI Report Means for Your Wallet, According to JPMorgan and EY Experts

Most experts agree that there will be another rate cut next week.

Operations & Logistics

The Holidays Mean Vacation Time — But Disaster Can Still Strike. Is Your Crisis Plan Ready?

Holidays mean different working hours for companies and different schedules for employees that take off. Before you and your team enjoy some much deserved time off, it is important to put a crisis management plan in place so your business is ready to tackle any issue that crops up.

Starting a Business

How to Start a Freight Brokerage Business

Get your entrepreneurial destiny really moving by becoming a broker--matching shippers and transportation servicess--for the freight industry.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Side Hustle

After This 26-Year-Old Got Hooked on ChatGPT, He Built a 'Simple' Side Hustle Around the Bot That Brings In $4,000 a Month

Dhanvin Siriam wanted to build something that made revenue from ChatGPT, and once he did, he says, "It just caught on."