March 11, 2020 By Mark Stone 4 min read

Retail businesses, from mom-and-pop shops to major department stores, are investing heavily in technology to enhance the in-store experience. With the imminent arrival of mainstream 5G, smarter systems are expected to dominate the retail space as the internet of things (IoT) expands. But as we know from connected device deployments in other sectors, such as financial services and healthcare, the IoT is fraught with security vulnerabilities. For retail security, the risks of deploying IoT devices are no less dire.

As organizations rely more on the IoT to enable internet connection at every stage of the retail process, protecting IoT infrastructure is critical. Getting on board with the right mindset can go a long way toward achieving a win-win for retail security.

Outfitting the IoT for the Retail Industry

What I find fascinating about the retail industry is its hope that the IoT can solve IT-related problems. Steve Latham, CEO and founder of the IoT software company Banyan Hills Technologies, told me that one of the IoT trends they’re seeing in retail is meant to help IT personnel sleep better at night.

“Kiosks and point-of-sale (POS) systems are a good case in point,” Latham said. “One of the biggest problems with systems like these is unexpected failures and unplanned maintenance. When a terminal fails, that failure is generally unpredictable. Getting someone there and getting it fixed is critical. IoT technology can leverage real-time data about the health and status of the entire kiosk or point-of-sale network — along with historical maintenance records — to recommend a predictive maintenance schedule.”

According to Latham, as retail moves slowly toward self-service, IoT technology can automatically monitor the behavior of self-service kiosks and POS terminals. Not only that, it can report anomalous trends in reading and processing customer credit cards as well. “Without needing any IT personnel to log the fault, the IoT system knows and incorporates that into its assessment of the network’s health,” he said. “It can then take appropriate steps to have it fixed, either by logging a ticket itself or alerting users to the problem.”

The IoT in retail represents more than kiosks and POS, however. After all, part of the IoT’s function in any industry is to manage every part of the ecosystem proactively. Retail is no different: IoT devices will analyze the data they collect and make actionable recommendations.

“As the responsibility shifts from overworked humans to smart networks with sensors throughout the store, IoT [devices] can track inventory both on store shelves and back in the stockroom,” said Latham. “In the back office, it can make sure that printers have sufficient consumables, mobile POS systems are working and get charged at the end of every shift, and inventory levels are properly monitored.”

Another retail security scenario to consider is the fitting room of the future. Retailers with smart fitting rooms can identify customers when they enter the store by means of cameras, near-field-communication (NFC) tagged customer cards, NFC-enabled wearables or Bluetooth. In this scenario, there are multiple potential pitfalls:

  • Fitting room devices can be hacked
  • In-store networks can be compromised
  • Self-payment systems are susceptible to fraud
  • POS terminals can be hacked
  • NFC tags can be manipulated
  • Customer data can be lost

For an industry holding on to any hope for its brick and mortar business, we can see why the IoT is such an attractive solution.

Are Your Doors Open to IoT Security Vulnerabilities?

Retailers can’t afford to be any less vigilant about IoT risks than industries like healthcare. Remember that every benefit the IoT brings to the table can turn into a liability if bad actors connect to these devices.

According to independent cybersecurity consultant Sam Patel, most of these products are built with functionality in mind and marketed as unbreakable. “One only needs to look at smart locks … or run a quick search on Shodan for webcams to understand the reality,” he said.

Patel added that those fancy beacon devices that push notifications onto customers’ devices use Bluetooth Low Energy (BLE), which is relatively easy to hack. Beacons have been and can be used to deliver malicious attacks.

Then there are radio-frequency identification (RFID) tags, which are commonly used in retail spaces. “They’ve been compromised several times over the years — not only in consumer realms, but enterprise-level incidents as well,” said Patel. “While security controls like access control and two-factor authentication (2FA) exist, they are not often implemented. With all that data collected, compliance can be a tricky business. Reputational damages are a very real possibility if safety and privacy are compromised.”

A Retail Security Blueprint That Won’t Break the Bank

Securing a retail network and its devices can be costly, but the basics are always inexpensive and will remain important. Before going all-in on an IoT solution, organizations should ensure basic security measures aren’t optional.

To that end, Patel suggests the following:

  • Evaluate whether or not any IoT devices you intend to purchase are secure by design and whether the company selling the product treats security as a priority.
  • Change all default passwords, don’t reuse the same passwords for multiple devices or systems, and use a password manager to add an additional layer of security.
  • Install patches and updates as soon as they become available across your entire environment.
  • Most importantly, never make the mistake of onboarding your IoT devices onto the same network that you use for your regular operations — unsecured configurations in your IoT deployments can easily leak sensitive information beyond your network’s Wi-Fi password.

Once the basics are implemented, unfortunately, many retailers don’t have the personnel to keep up with evolving threats.

My advice for retail companies is to make sure business leaders understand that security should not be viewed as an added expense. Instead, they must acknowledge the consequences of not securing their infrastructure. Further, security professionals should be outsourced to conduct thorough tests.

Finally, there’s the privacy issue. Having security plans in place around consumer data privacy is paramount.

“Retailers need to know what data is collected, what data is stored, for how long the data is stored, and how the data is securely deleted from all storage locations,” said Debbie Zaller, an independent security and privacy compliance assessor.

I know that for the average retailer all of this can be overwhelming, but cybersecurity is never easy, and any industry relying on the internet of things for digital transformation cannot afford to ignore IoT risks. By following the tips included here, you’ll be off to a good start.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today