This holiday shopping season, IT and physical security practitioners have the tough task of protecting customer data and preventing shoplifting. Here are 11 tips to bring sanity to the process. If your business is physical security, Friday is more than likely going to be a rough day. Shoppers will storm your stores the day after Thanksgiving in what has become known as Black Friday and spend, spend, spend. That’s what the retailer wants, of course. But for the security pro, it means a much bigger risk of shoplifting on the part of customers and employees alike.See also: Retail Shrink, Theft Up in 2009 and Recession Woes: What People StealFor IT security practitioners, the day to watch is so-called Cyber Monday, when the masses turn on their office computers and, instead of working, storm the online marketplace for holiday gifts. Here, the worry is that hackers are lying in wait, ready to break into retail networks and steal customer credit card numbers. (See Survey: Despite Risks, Employees Still Holiday Shop at Work.)To help ensure a more effective defense, CSOonline reached out to physical and IT security experts and gathered up the following 11 tips. Tips 1-5 courtesy of David Bonvillain, vice president of Accuvant LabsTip 1: Make sure the security software is on.Experts Only: Time to Ditch the Antivirus?. But the chances of avoiding a security breach will still increase if the anti-malware is turned on. Ensure all systems that access the Internet are protected with anti-malware technology, specifically making sure browser security enhancements are configured and enabled in AV software, Bonvillain says. Much has been said about the sorry state of AV this year – for one example, read Tip 2: Save users from themselves (otherwise known as awareness training)Forget that employees are shopping on company time, probably a career-limiting activity in some places. The bigger problem is that they’re doing it on company machines online thieves are just itching to hijack. Since employees are going to do this anyway, Bonvillain says they should at least be educated on how to do it safely: “Awareness of common techniques and an understanding of how to identify malicious content can go a long way toward proactive prevention. Keep in mind that these types of attacks are also pervasive over IM and social networking technologies and are not simply limited to traditional Web browsing.”Tip 3: Monitor the networksThis may seem painfully obvious, but since warning signs tend to be missed and the breaches keep piling up, Bonvillain says this one’s worth repeating: “Comprehensive monitoring of both the network and the client will help you trend threats, identify weakness in your existing enterprise, and if necessary give you the tools to identify and contain a breach if one occurs.”Tip 4: Segment the networksPCI security standard, you should be doing this anyway. The idea is to make it so the bad guys can’t access the goods, even if they manage to break into another part of the network. Says Bonvillain: “By segmenting users from each other as well as network assets should a breach occur you limit your exposed footprint to potential malware, or even an attacker. Treat user computers as untrusted devices.” If you’re a merchant bound by the requirements of the Tip 5: Stop the malware in the mobile machineCracking down on employees who shop online with company machines has become especially difficult because they are using mobile devices beyond the eyes of office managers and, often, beyond the eyes of IT, especially the laptops. To that end, Bonvillain says, “If employees are allowed to take corporate assets (laptops) home for personal use or access the corporate environment using mobile devices, ensure not only that secure VPN technologies are installed and utilized, but that some sort of endpoint security validation or quarantined access is in place.”Tip 6: Remove the cash Here’s some simple advice for physical security pros from the loss prevention manager of one of the largest department stores in the U.S.: The less cash you keep lying around, the smaller the payday for any potential robber. “Multiple cash pick-ups throughout the day to get the cash off the floor is a must,” the manager said.Tips 7-11 courtesy of MerchantWarehouse.Tip 7: As Ronald Reagan used to say, “Trust but verify”Ensure address verification system and card verification values match (i.e. 3 or 4 digit in signature panel)Tip 8: Verify signature blockSure, cashiers get overwhelmed when there’s a long line of impatient people in front of them. But an important part of stopping credit card fraud is to check the signature block, particularly if the signature is worn out.Tip 9: PIN the tail on the transactionAs a rule, PIN debit transactions are more secure (and typically cheaper) than signature-based transactions.Tip 10: Bad things in store for those who storeAnother basic requirement of PCI security is that companies store as little card holder data after transactions as possible. The more that’s stored, the more damage companies and customers can suffer at the hands of data thieves. Tip 11: Encrypt itVerify that your company has an encrypted card reader to ensure PCI compliance and, more importantly, to ensure the bad guys can’t use what they steal. Related content brandpost How an integrated platform approach improves OT security By Richard Springer Sep 26, 2023 5 mins Security news Teachers urged to enter schoolgirls into UK’s flagship cybersecurity contest CyberFirst Girls aims to introduce girls to cybersecurity, increase diversity, and address the much-maligned skills shortage in the sector. By Michael Hill Sep 26, 2023 4 mins Back to School Education Industry IT Training news CREST, IASME to deliver UK NCSC’s Cyber Incident Exercising scheme CIE scheme aims to help organisations find quality service providers that can advise and support them in practising cyber incident response plans. By Michael Hill Sep 26, 2023 3 mins IT Governance Frameworks Incident Response Data and Information Security news Baffle releases encryption solution to secure data for generative AI Solution uses the advanced encryption standard algorithm to encrypt sensitive data throughout the generative AI pipeline. By Michael Hill Sep 26, 2023 3 mins Encryption Generative AI Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe