Just a few weeks ago, a massive hack of Dyn, a New Hampshire-based company that monitors and routes Internet traffic, disrupted service at a number of popular websites, including Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and others. Not only did it inconvenience millions of users across the country, it also brought to attention – yet again – of the potential vulnerability of IoT (Internet of Things) devices. It was a good reminder to all about the need to be increasingly vigilant in the security of both data and data gathering sensors.
The October 21 attack was a large-scale distributed denial of service (DDoS) attack that used phishing emails to infect computers and home networks with malware, eventually spreading to unprotected IoT devices like DVRs, cable set-top boxes, routers and video cameras. In turn, all those devices were co-opted to create a robot network – a botnet – that then sent millions upon millions of illegitimate access requests that flooded systems and blocked service.
So, in light of ‘everyday’ connected devices being turned into source vehicles for malicious attacks, how does today’s IoT-enabled Smart Store stay safe, secure and protected? Below are three considerations to implement and follow.
Proactively manage and update all connected devices
It’s incredibly easy to install devices, connect them to the Internet, then … forget about them until something like October 21’s DDoS attack happens.
All cloud, IoT devices should be proactively managed, and a big part of that is full backing by vendors who provide regular security updates. Ensure your vendor partners perform holistic security audits, and while you’re at it, look for ways to consolidate the number of sensors and vendors you work with – the fewer number of unique devices, the easier it is to monitor and manage.
From time to time, you will have aging sensors that will approach their effective end of life. That’s not a problem and pose no threat if they are not connected to the Internet. However, if they are connected devices, make certain to disconnect and uninstall as necessary.
Never circumvent IT processes when installing hardware
Utilizing open, interoperable devices allow for an almost limitless potential of data collection for organizations, empowering the types of data-driven decisions that differentiate organizations and create a competitive advantage. Of course, that’s one side of the coin; the other is if not deployed properly, it leaves potential vulnerabilities unvetted and unchecked.
In the haste to install and deploy, an organization must be diligent in ensuring established security measures are never circumvented. Be sure to work with your IT security team to ensure that current security policies are designed with these devices and business cases in mind. Today’s cloud-managed devices usually only make outbound connections from a store, which is preferable to having to allow inbound connections from the Internet through your firewall.
Lastly, Retailers should apply the same rigor to sensor security, network and data security as they do when following PCI DSS protocols (Payment Card Industry Data Security Standard, designed to ensure all retailers accept, process, store and/or transmit credit card information in a secure environment). Repeat the processes you already do well to other segments of your IT infrastructure.
Deploy a layered approach to data and sensor security
Effective retail data and system security is almost always a layered approach, with initiatives that begin at the firewall, incorporate PCI compliance practices, include routine security measures like audits and systemic software and firmware updates.
An ounce of prevention is worth a pound of cure, and the IoT-enabled smart store that consistently follows a relatively simple security process frees up ever-scarce resources for the most mission-critical process of all, delivering magical shopping experiences to store visitors.
Join the #retail, #inspiringretail & #SmartStore conversations on Twitter @RetailNext, as well as at www.facebook.com/retailnext.