Unintended Gateways: Easy Money for Crooks

Most crooks look for easy money, and all too often they find easy marks among brick and mortar retailers.

istock 104654781 bp 3

Famed robber Willie Sutton probably didn’t say he targeted banks “because that’s where the money is,” but the phrase captures the essence of criminal intent. Most crooks are looking for easy money, and all too often they find easy marks among brick and mortar retailers. Aging legacy systems, low-skilled and often seasonal workforces, reliance on third-party vendors, and lax security processes can all result in highly damaging data breaches. Few retailers have likely taken steps to secure their network-connected printers.

Not only are retailers heavily reliant on aging technology, but their workers are often remarkably uninformed about security best practices. According to one survey, just 29% of retail employees can identify common best practices to prevent cyber and data privacy incidents. Considering that most retailers deal with high turnover, a workforce generally lacking in technology awareness and skills, and the holiday season influx of temporary workers to handle the customer crush, it’s almost impossible to enforce security policies. That’s a recipe for exploitation from internal as well as external threats, not to mention making it more difficult to enforce compliance. No wonder retailers feel vulnerable.

According to the National Retail Federation’s 2017 National Retail Security Survey, employee theft and insider crime accounts for almost one-third of “inventory shrinkage,” just behind the amount siphoned off by shoplifting and organized retail crime activities. As a result, the Chicago Times reports, “there’s growing dependence on technology and electronic monitoring but less emphasis on seasonal employee vetting or training staffers to recognize in-house scams.”

Unintended gateways

In the hectic holiday shopping season, these factors make the unattended network printer an exceptionally vulnerable target of attack. Considering that these devices often provide unintended gateways to point-of-sale (POS) legacy equipment that retailers are reluctant to replace until it can no longer be repaired, many retailers are sitting on a potential time bomb of cyber risk.

Not only that, but many retailers aren’t even aware there is a problem and so they don’t prioritize this security vulnerability. A Spiceworks survey of more than 300 enterprise IT decision-makers found “just 16% of respondents think printers are at high risk for a security threat/breach.”  

Because retailers are especially vulnerable to the theft of credit card and personally identifiable information, they can’t afford to leave themselves exposed in this manner. Whether accidental or malicious, the leak of such data can quickly deplete the trust and loyalty that retailers have spent years, if not decades, building—and at a time when they’re most vulnerable to losing business to ecommerce competitors.

To combat these challenges, retailers need multilayered security strategies that ensure there are no weak links waiting for cyber criminals to exploit. Technology is available today to ensure additional security features are built into retail hardware, with strong protections embedded all the way down to the BIOS level. Data encryption can prevent spyware from collecting usable data, and strong user authentication and printer “pull” technologies can provide only authorized users the ability to receive documents.

Don’t rely on manual procedures

Given the generally low-skilled retail workforce, and the seasonal expansion of temporary workers, retailers also can’t be expected to rely on manual security procedures. Instead, they should seek to equip IT staff and managerial teams with automated security solutions that take human error out of the equation and streamline day-to-day operational requirements.

To learn more about ensuring that printers are an element of security, rather than a vulnerability, watch the YouTube videos The Fixer and The Wolf from HP.



Copyright © 2017 IDG Communications, Inc.