Make periodic checks of workstations/POS systems. To save time, employees often use Post-It notes with passwords on them. Having a written password is strongly discouraged; however, if passwords are written down they should be hidden inside a locked drawer. Passwords that are shared amongst two or more people should be rotated regularly. Also, physically inspect the machine to make sure any mag stripe readers, key loggers, or any other hacking tool has not been secretly attached.
Encourage use of strong passwords. While a mix of numbers, letters, and special characters is highly secure, they are also very hard to remember. Another school of thought in password strength encourages users to create one by combining four different words that normally would never be in the same sentence. For example: “mulberry demolition definition coalition” has its own poetic rhythm that would make it easy to remember, but near impossible to crack. (If your system uses numeric passwords, make it a six-digit code instead of four, which exponentially raises the security. Suggest employees think of a date except their birthday or an anniversary to generate their code.)
Keep their mind on security. You can set up an alert in Google such as “data breach [industry]” or subscribe to a security blog or magazine that sends out breaking news. Forward these to employees, make periodic announcements, or send company wide emails reminding them that your company could be next. If there is a place for signage, like in a break room or sign in room, you can consider using posters and tip sheets from the National Cyber Security Alliance’s program called STOP.THINK.CONNECT. These graphics are in a variety of languages and cover many different aspects of security. There is also a specific Technology Checklist for Businesses that can be very useful to retailers.
Make sure employees know who to contact if they notice anything suspicious with the system or think they’ve been hacked. Put the phone number or email in a conspicuous place (this is when it’s OK to use a Post-it note!). Remind them to make the call immediately, no matter the day or time.
Drill drill drill! SecurityIQ has created an app called PhishSIM that automatically delivers a battery of “phishing” emails to a selected list of employees. If an employee falls for the phishing attempt, they are immediately provided with training in the form of an interactive video to help them learn from their action and avoid a similar situation in the future. The PhishSIM emails can be customized from our templates or created from scratch. Our template library includes emails that look like they are from a bank or an IT manager requesting users to reset a password by clicking the link. Others offer “Free Pizza” or greeting cards from a loved one. Another set take a more serious tone, saying the recipient’s computer needs an “Emergency Update” or that they’ve received a “Notice to Appear” in court.When selecting your templates for a campaign, a variety of attacks are suggested; one email can be a Drive By (a phishing email with a link to a malicious website), another an A PhishSIM will not only automatically send out the emails to employees on the list, it will also record their action. If they click and/or logon to a phony login page, they are sent to a customizable landing page that has a short video informing them they could have been phished. Enroll employees in AwareED training. In tandem with PhishSIM comes another crucial element in your retail store’s security: education. AwareED is a tool that can be used to deliver security awareness training to users, a requirement of many regulatory and compliance standards. It contains a series of videos and quizzes which can be configured for groups of learners; each module teaches a fundamental yet essential concept such as Password Security or Phishing awareness. You can use PhishSIM as a precursor to AwareED. Those employees that click on one of the PhishSIM emails can be automatically enrolled and you can monitor their progress remotely. But just because someone didn’t click on a PhishSIM link the first time doesn’t mean they’re completely aware. It is a good idea to make some kind of AwareED course mandatory, with a re-test regularly or if they get caught by PhishSIM a second time. Make it a game. “Gamification” is the buzzword that essentially means giving incentives and rewards for employees that participate. Those that pass the courses in a set amount of time could be eligible for a small reward. You could also reward employees that flag suspicious emails or activity that could have resulted in a potential breach. If you are a company that deals with customers via online chat or telephone, you could also try some role playing. Gavin Watson, author of Social Engineering Penetration Testing published by Elsevier suggests getting employees to start with the assets they are responsible for and imagine if they were a criminal trying to get access to them. “This then empowers them to think in terms of the asset protection and consequences of a breach, and provides them with the skills to spot and thwart attacks, rather than just banging them over the head with a rule book…” he said in InfoSecurity Magazine. Do NOT use threats or punishment to keep people vigilant. If an employee fears reprisal or that they may lose their job, they will be less likely to come forward to report something. Let them know we are all human beings and make mistakes, but remind them that is why it’s even more important to stay alert. Be sure to disable ex-employee accounts. Once someone is terminated, it is important that in addition to taking their laminate that you also take their access credentials. Consider minimizing the amount of customer data that is retained, or refrain from storing it all together, if possible. Retailers are an especially tempting target because they often keep personal user info that can be sold on the black market. No less than Microsoft itself, in its series entitled Securing the Retail Store, recommends retailers retain no data:“Despite the availability of technologies and procedures that help secure data, the best practice is still to not store the data at all. Personally-identifiable data, such as payment card sensitive authentication data and the full tracks of the magnetic stripes, do not need to be stored. It is not an operational requirement, and furthermore, it is penalized by industry policies and regulations.” The other option they suggest is to do regular data purges. Limit access to networks from employee devices. If you have a BYOD (“bring your own device”) policy, put them on a separate limited network. Segmenting networks makes it more difficult for personal devices to gain access to portions of the network which store sensitive data. In addition, if a breach is attempted via email or SMS link on a smartphone, it can be more quickly contained.
Security Awareness Training is one of the most critical parts of any company’s security plan because it can instruct your employees using real-world scenarios, where lessons are more likely to be retained, rather than in a one-off study-once-then-forget afternoon. AwareEd, when combined with PhishSIM, is an extremely effective way to teach users how to recognize and avoid potential threats that exist in a retail environment. Once you see the benefits of our system, you will probably want to upgrade to unlimited campaigns/learners, which is also free for 30 days.
