Defending your store from cyber-attacks

Stephen Franklyn, director of Lithium Systems and an outsourcing IT support and technology specialist, offers advice to retailers on how to protect their business against online threats.

WE live in a world of information technology and information risk. Just imagine, for a moment, losing all your profit and loss and sales data.

According to HM Government figures, a third of all small businesses and 65% of large businesses have reported a cyber-breach or cyber-attack in the past 12 months, figures that translate into huge financial costs and disruption to day-to-day operations – to say nothing of reputation costs, which can be catastrophic for you, your business and your brand.

Today, retail empires can be operated from a tablet computer. But the control and convenience technology brings can come at a considerable cost due to crime.

Typical difficulties in this scenario include: losing all your customer and stock records, not knowing which suppliers you have paid and when – and of course, no longer knowing who owes you money either.
It is to deal with precisely these kinds of issue that there is now a UK Government initiative called Cyber Essentials.  Developed in partnership with industry, it deals with cyber-security in two ways.

Make no mistake – there are people out there who are dedicated to exploiting your vulnerabilities.

Firstly, it outlines all the basic ‘controls’ or actions that businesses of all shapes and sizes need to address to mitigate the risks from common internet threats.

Secondly, it provides an accreditation framework that allows businesses  to demonstrate to customers, investors, insurers and others that they have taken these essential precautions. Designed to be low-cost, Cyber Essentials and the more advanced Cyber Essentials Plus certificates are achieved through working with practitioners and accreditation organisations.

However, even if a business does have a basic understanding of cyber-security, it needs to understand the controls that have to be put in place to ensure it. That is why the first port of call for any business should be an accredited Cyber Essentials practitioner.

A Cyber Essentials practitioner will look at the following controls to raise your cyber-security level:

• Firewalls
Rules should be applied to restrict inbound and outbound network traffic to authorised connections.  Firewall rules need to be reviewed on an ongoing basis and no one should be able to access your administrative interface to your firewall from the internet, other than via carefully constructed protocols (in the case of a remote administrator or external service provider).
• Secure Configuration
Computers and devices across your network need to be configured to reduce any inherent vulnerabilities and provide only the services that your business needs. Default installations are not good enough here, and auto-run installation features should be disabled. Personal firewalls also need to be looked at.
• User access control
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. That’s why the principle of least privilege should be applied to user accounts.
• Malware protection
Malware protection software and configuration are vital weapons in a business’s armoury against such threats.  Vigilance is key here, keeping everything up to date and covering all points of contact at which your business might be exposed to malware.
• Patch management
The latest security patches should be applied to deal as quickly as possible with vulnerabilities identified by software vendors.
Make no mistake – there are people out there who are dedicated to exploiting your vulnerabilities; these are people who, once they have secured your data, will quite literally hold your business to ransom using ransomware.
That’s why you should be involved in a continual review of all your IT policies, working with a reputable IT support company that can respond to your requirements, foresee problems before they happen and devise strategies to protect your business from those who would seek to harm it.
Lithium is a Scottish IT and technology solutions provider for the SME market, with a particular specialism in supporting retail businesses.
For further information, visit