Securing IoT: Best Practices for Retailers

Internet of Things technology offers opportunities for new retail revenue streams, but it also comes with cybersecurity challenges that must be addressed.

IoT and retail

We see innovation on a daily basis. Without a doubt, one of the most game-changing innovations is the Internet of Things (IoT). Industry analyst firm IDC expects there will be over 41 billion connected IoT devices by 2025.

In particular, the retail sector is increasingly using IoT technology to personalize the customer experience and digitization. However, much of this includes the collection of personal data, which is a target for cyber criminals.

As the connected ecosystem expands and retailers continue to invest in connected devices to increase competitive advantage, let’s explore how these trends will affect security.

Growth opportunities

IoT in retail is a tremendous opportunity to provide a truly customer-centric experience. For example, this might include magic mirrors for clients to virtually try on clothing, cashier-less checkout options, and virtual pathways through a physical or electronic store based on the unique needs of a specific shopping trip.

A better customer experience translates to customer loyalty and repeat business. For the retailer, being able to understand buyer intent helps to optimize the supply chain to make sure the right items are available at the right time for the right customer. Ultimately, through IoT technology, shopping experiences are improved for the customer and more predictable for the retailer.

And yet, with every improvement in technology comes the opportunity for new or unexpected problems.

Some of the challenges arising from IoT

While the technology offers tremendous value for the consumer and the business, IoT implementations should be managed and deployed with a security-first mindset to help prevent data breaches and ways for adversaries to enter the corporate network and move laterally to cause major business disruption. Organizations should make cyber-risk mitigation a part of every transformative initiative from the very start.

IoT usage expands the number of devices attached to a network and thus increases the attack surface. Organizations need to understand how an IoT device works and how it is connected to the network. They also must have visibility into how data is collected, processed, and used. This information is necessary to highly secure the IoT device itself, as well as the software running the device.

IoT devices are endpoints on a network and should be treated with the same consideration as any other endpoint — such as a laptop, server, or phone. One step in helping to prevent the breach of an IoT device is password management. Often, organizations will “set and forget” an IoT device with the default factory password. This practice gives adversaries the opportunity to gain access to the device and potentially move laterally throughout the network.

Another cybersecurity best practice for IoT is having a patch management strategy. This should include ensuring patches are up-to-date and allowing for out-of-band patchability and audibility to eliminate obvious opportunities for adversaries.

Also, it helps to reduce cyber risk by managing IoT with a Zero Trust approach, which means not trusting anything inside or outside of the perimeters and requiring verification of anything and everything. Clearly categorizing types of endpoints is a good way to identify an IoT device vs. a traditional endpoint that is typically “attached” to a human. Using zero trust to manage IoT devices needs a strong cybersecurity engineering approach, so it often helps to align with an IT security partner if your in-house staff lacks this expertise.

Another best practice: The headless or non-GUI (graphical user interface) applications that run the IoT device and collect the data should be highly secured. Using software engineering best practices means that the application is tested for security vulnerabilities and those vulnerabilities are either remediated or deferred based upon a risk assessment.

Next steps

Lower latency and higher bandwidth capabilities will make IoT initiatives more attractive because this functionality speeds processing and thus, business value. Organizations must: be ready from a cybersecurity perspective to proactively manage new and larger attack surfaces due to this increase in connectivity; understand and highly secure the larger number of devices accessing the network; and use automation for the extension of security policies to new types of devices.

While IoT solutions are game changers for retailers, they must be deployed in a thoughtful manner so as not to put sensitive information at risk. Trust and credibility are critical cybersecurity traits that can help businesses withstand cyber threats.


Copyright © 2021 IDG Communications, Inc.