Five Cyber Security Strategies for 2014

Imagine for a moment a security guard. If you're like me, you picture a burly guy, arms crossed, sunglasses on, blocking an entrance. This type of character is effective in certain situations, especially when it comes to keeping away "riff raff" from establishments that want to avoid rowdy fights.

But in today's physical retail environment, the burly, mean-looking guy is less effective. Retailers are trying to get more people to come in, not keep people out or scare them away. So most retailers go for a more nuanced approach. They train their concierges to also spot potential shoplifters, train their salespeople in the art of dissuasion, and augment those human resource with a system of cameras and anti-theft devices that are simultaneously as unobtrusive to "real" shoppers as they are effective at stopping thieves from making off with merchandise. Most retailers are in a race to make their security as unobtrusive as possible – those of us on the right side of the law barely notice the security systems in place.

So it is, or so it should be, in the cyber security space. The 21st-century equivalents of the burly guy with the sunglasses are the endless security warnings, the complex passwords required to view merchandise, endless rules choking CPU and slowing down sites, and unwieldy or unruly web application firewalls that mistakenly label legitimate end-users as fraudsters and thus prevent them from browsing or shopping. That type of security is effective at stopping theft, but unfortunately it is also effective at stopping revenue growth. If the user experience is not good for the good guys, they will shop somewhere else.

So how can retail companies expand their cyber security without keeping the good guys out? Retailers essentially need to be mindful of the ways in which they are implementing security and keep the good guys in mind as much as — or more than — they keep the bad guys in mind. Consider these five strategies:

1. Understand traffic limits and consider upgrading for holidays: Retailers should work with their teams to run site load tests to ensure their websites can handle peak traffic, especially around times when they know a larger audience will access the website, such as during the holiday season or popular sales. In addition, retailers should be aware that certain security breaches can involve large amounts of illegitimate traffic, which can crash their site and cause vulnerabilities. Retailers can prepare for this type of attack (called a Distributed Denial of Service, or DDoS, attack) by requesting an update from their network infrastructure team regarding DDoS attack mitigation capacity. Possible upgrades include implementing new network firewall hardware or utilizing a cloud-based web security solution, which can defend against the largest attacks.

And while the goal is to avoid failure, retailers should still have a plan in place for when their firewall does fail. For instance, will they fail closed or fail open? If a merchant site fails closed, nobody will be able to access the website, which could result in some unwanted attention for retailers and a complete loss of sales during the downtime. If a site fails open, the website will still be available but sensitive information could be accessed more easily by criminals. Although neither option is preferable, it is important to plan for the worst and know what steps take.

2. Monitor for threats. If retailers don't have a system set up to monitor for threats, they face a steep security disadvantage. Attempting to identify the most relevant attack trends isn't something that should be done on a whim, so retailers should ensure they have some sort of system in place so that threats and attacks do not catch them off guard. This can mean regular meetings with an on-premise or cloud-based web application security vendor, or it can mean engaging with an application security consultant who can also review the retailer's threat posture and make recommendations for upgrades and updates.

3. Access and test the appropriate rules. In order to properly deal with a new threat, retailers must access the rules that have been created to specifically defend them from that particular attack. However, it is also important not to implement too many rules, as this can result in false positives and the denial of legitimate traffic. While this may seem like a catch-22, it need not be. The key to finding the balance between securing and over-securing a website is to repeatedly conduct tests. This will allow retailers to determine how many rules a website can run before it starts to negatively impact performance. Cloud-based web app firewall vendors can test and report on a constant basis.

4. Update website rules. Just because retailers have accessed and tested their rules doesn't mean their work is done. Retailers often skip this step simply because it's time consuming, but by glossing over it, they put themselves and their customers at risk. The security process is cyclical, and the only way retailers can truly be satisfied with their level of protection is by ensuring they constantly run through the checklist before a new threat has the opportunity to discover them. Hackers are constantly utilizing resources to better their strategies, and in order to stay ahead of the game, retailers must as well.

5. Create a strong and secure in-store network. In-store networks often leave something to be desired. Due to their high latency and low bandwidth, they can have a significant impact on in-store web performance, meaning routine tasks such as stock checks are going to be more difficult and time consuming.

Most of the time, network architecture and the type of connectivity available in store are to blame for slowdowns. For example, approximately 90 percent of organizations backhaul traffic from the branch office to the data center to access the Internet. On the one hand, this ensures a consistent security policy enforcement, as it is easier to lock down small Internet access points as opposed to going "direct-to-net" at every branch and having to protect all of these locations.

On the other hand, this approach impacts the performance for users in the branch office, as the traffic is unnecessarily being routed across large distances. And since bandwidth at the branch is limited, individual stores face scalability challenges. Therefore, retailers need to ensure their network is fully optimized, which will allow the network to be both strong and secure.

While the steps above may be uncharted territory for some, they are simply the latest resources retailers can utilize in order to achieve what has always been the ultimate goal: a safe and enjoyable shopper experience. Retailers have always employed mechanisms to get to know their shoppers and to identify their businesses' weaknesses, and by following these steps, they are applying the same standards they have for their physical locations to their online locations. Retailers already know how to apply nuance and common sense to their physical security strategies; it is time to apply those same principles to cyber security strategies.

Daniel Shugrue is director of Product Marketing for Akamai, a cloud computing services company.
This ad will auto-close in 10 seconds