Get All Access for $5/mo

Preventing Another Target Attack For retailers that don't want to be the next Target or Neiman Marcus, here are three tips they can do to protect themselves.

By Eric Basu Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Shutterstock

While Target's credit-card security breach continues to get ugly, the real alarming part, is they weren't alone. At least five other major retailers were also hit during the same holiday period. While the total number of records in the other attacks was one-tenth that of Target, the assailants still stole an average of 27,000 records per store using the same techniques.

The obvious question becomes, "What can be done by retail businesses to both detect and to protect against this specific threat?" To be fair, there are established Payment Card Industry (PCI) compliance standards that are designed to assist retailers in thwarting point-of-sale (POS) attacks like the ones inflicted recently. The controls, however, are worded in ways that are open to interpretation and often are not explicit enough in their language to ensure comprehensive security controls are effectively implemented.

While PCI provides an excellent starting point and also includes many traditional information security best practices, it cannot be expected as a mere standard -- to canvas the entirety of what it means to operate in a secure state as an organization. Other activities are required.

To that end, here are three other points retailers should implement above and beyond the minimum standard.

Related: Keeping Your Intellectual Property Safe and Sound

Individually lock down every single POS system component. A POS terminal or collector must be used solely for that single purpose -- to make transactions. So every other unnecessary service and process should be disabled. For example, the local or remote operator should not be able to browse the internet, receive emails or perform any action that is not a direct functional requirement for the POS to function. If the terminal does need connectivity to the Internet, the specific service protocols should be the only ones allowed to leave the system and the traffic should be encrypted.

Employ monitoring software for the overall network. There are next generation software solutions that effectively visualize network traffic, break down machine-to-machine connections by service protocols and allow filtering by machine, service or even internet destination. For example, a North American-based retailer using a payment processing partner from the same continent should not see outbound connections from a POS terminal to places like Russia, China or Brazil. If they do, the connection should be dropped and the security administrator should be notified of the machine initiating the connection.

Related: Why Your Small Business Is at Risk of a Hack Attack

Implement application-level security practices. Application security is an often overlooked layer of security in POS environments. Keeping such programs up to date with the latest versions and patches as well as performing penetration tests on both internal- and external-facing interfaces would have gone a long way to preventing the lateral movements the Target attackers were able to pull off in a short amount of time. Companies that develop in-house applications should also ensure they are designed securely from the get go, performing both static and active secure code reviews at every minor release. Furthermore, only authorized white-listed applications should be allowed to run and properly identified.

We have arrived at a state where cyber attacks against payment systems have become pervasive, massive, damaging and embarrassing. The boardroom rationalizations of the last decade no longer serve the business' profitability or survivability. Risk cannot simply be transferred to insurance like it could before -- at least not without serious damage to goodwill, customer-base trust and future lost revenue. Security controls are meaningful and next-generation ones are no longer just a necessary evil. They are business enablers necessary to protect profits.  

Related: Think China is the No. 1 Country for Hacking? Think Again.

Eric Basu

CEO of Sentek Global

Eric Basu is the CEO of Sentek Global, a provider of government and commercial cybersecurity and information technology solutions. 

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Starting a Business

He Started a Business That Surpassed $100 Million in Under 3 Years: 'Consistent Revenue Right Out of the Gate'

Ryan Close, founder and CEO of Bartesian, had run a few small businesses on the side — but none of them excited him as much as the idea for a home cocktail machine.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Franchise

The Top 10 Coffee Franchises in 2024

From a classic cup of joe to a creamy latte, grab your favorite mug and get ready to brew up success with the best coffee franchises.

Marketing

How Small Businesses Can Leverage Dark Social to Drive Word-of-Mouth Marketing

Dark social accounts for 70% of social media shares and is crucial for small businesses. Here's how you can tap into this hidden marketing opportunity.

Business News

'Jaw-Dropping Performance in 2024,' Says a Senior Analyst as Nvidia Reports Earnings

Nvidia reported its highly-anticipated third-quarter earnings on Wednesday.

Business News

'Do You Sell Cars?': Tesla CEO Elon Musk Trolls Jaguar Rebrand on X

The team running Jaguar's X account was working hard on social media this week.