By Rick Snook

Data breaches are on the rise for many businesses. Those who do suffer data breaches risk harming their reputation and losing their customers’ trust. Since March of this year, cyber threat actors have been busily targeting and trying to compromise various businesses across Canada including retailers. We are seeing a rise in cybercriminal attacks and malicious activity. In fact, a news release published by Gartner indicates that worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022. Some of the larger retailers are taking the necessary measures to protect customer data, by implementing proper controls and policies to secure endpoint devices. However, retailers who don’t have a proper cybersecurity in place are performing transactions by phone, personal devices, and/or Wi-Fi networks that are poorly secured.                                                                                                             

Ask yourself, who has access to your data? Was the data related to each transaction deleted or destroyed? Hackers don’t have to break into databases to access sensitive data, they can hack any endpoint IoT device, including surveillance equipment like cameras, or other network systems that are not properly configured with cybersecurity in mind.

Other malicious activities that retailers have experienced in the last couple of months, such as thefts and property damage, are on the rise. It’s important for retailers to have full remote view of their store(s) with a clear picture of the store and surrounding area. To accomplish this, there must be a means of secure communications in place to avoid man in the middle access to the network. In recent months, remote connection has become essential for many security and operations departments to audit and conduct remote check-ins. To achieve this type of surveillance, operational systems cybersecurity health should be top of mind. Without secure communications, customer data is not the only asset at risk. Video streams become vulnerable and could lead to a potential ransomware attack.

Cyberthreats and surveillance video

Video systems can capture a lot of customer data, such as license plates of cars in parking lots or in the vicinity of stores. Facial recognition, if used, can capture data, photos, purchases made through Point of Sale System (POS) integration and more. In today’s world of masked faces, surveillance products are being upgraded as we speak, and new software is being created that can monitor people with face masks who are accessing buildings and workplaces. The software is being reinvented to capture facial features left uncovered.

Omnichannel is at an all time high. Think of all the data being captured through online shopping. Optimized check-out lines serve customers more efficiently. Mobile payment terminals further enhance the customer experience. Innovation in IoT has provided retail with the ability to integrate systems and solutions that interoperate and perform multiple tasks throughout their stores and across various disciplines in a retail environment. New technologies allow for streamlining operations providing a wonderful customer experience and bringing costs down, but you must safeguard that data. The crown jewels need to be protected.

Some retailers are more at risk than others. Cybercriminals are always looking for the biggest reward, the objective is to be more difficult to penetrate. As an example, if you leave the cyber doors unlocked to your business, someone will eventually enter and take advantage of the situation.  When it comes to data protection, hardening your cybersecurity and unifying the security and IT standards are critical.

Security and IT. Unity operations for effective data protection.

Surveillance from video is a security measure that captures useful business intelligence by performing tasks like people counting, occupancy detection, heat mapping and traffic flow. Each retail store has a single connection point or more depending on the business. Your network is only as secure as your weakest link. If you have any one of these connection points that is insecure, the entire network becomes vulnerable. Many retailers store PII (Personal Identifiable Information) for employees and customers on the network and if a breach from any system occurs it may lead to customer data leaks like emails, names, addresses, phone number and sometimes credit card data.

Some of the most common mistakes security and surveillance and IT teams make that lead to possible breaches are around documentation of policies and adherence, and deficiencies in auditing processes. In retail audits are normal and they are done regularly. They should also be done with operational technology (OT) systems and surveillance devices.

When it comes to any security and surveillance OT initiative, IT should always be involved from the beginning of the discussion to understand the cybersecurity standards of the organization. Surveillance today is an end point network sensor that not only provides situational awareness, it does a lot more. There needs to be collaboration with the IT Department, so that the devices are properly managed and updated in accordance with the lifecycle management recommendations of the manufacturer. Endpoint devices that are not maintained with updated firmware provide an access point to cybercriminals. Integration of OT systems creates an environment in which video is viewed remotely and business data is paired with surveillance media as part of a total solution. Effective data policies and standards based on hierarchical user privileges must be created and enforced to protect this data.

Communication of all stakeholders is key to breaking down the silos. At Axis, when we’ve worked with Security, Operations and IT jointly, projects have gone smoother and with less friction because everyone does due diligence to ensure an effective and secure business. Teams need to come together to address everyone’s concerns. Ultimately, the purpose of secure OT technologies is to enhance business operations.

Technologies that help protect

Security and IT are not alone, there are specific technologies that protect customer data, which include things like video redaction; which is the ability to blur others in the video that are not directly involved in the incident. This is done after the fact when exporting video. Something like a Live Privacy Shield also protects recognition of people, so that they are not recorded. Live Privacy Shield effectively addresses rules and regulations protecting privacy and personal data, a method known as differential privacy. It masks the identities of individuals in live and recorded video by comparing a live camera view with a set background scene and applying dynamic masking to areas of change – essentially moving people and objects. You can choose between colour or mosaic (pixel) masking and set the level of masking required. You can also decide how often the background should automatically update. Colour masking provides the greatest privacy protection while enabling you to see movements.

To prevent cybersecurity threats, you need to do your homework. Review surveillance products for hacks or breaches to ensure you are getting the level of security required. Look for systems that have a cyber hardening guide for installation, Long-Term Support (LTS) Firmware updates to protect against future vulnerabilities, and systems and encryption technologies that use Trust Platform Modules (TPM) and signed firmware.

Building for surveillance data capture and the role of facility managers

If a retailer wants to start collecting more data to improve their operation, they should do a risk assessment and build a program to protect the data. Where the data resides, who has access and how will it be audited, must be considered. For any retrofit, involve all stakeholders mentioned, so you get a 360° approach to a hardened network, and if you don’t have the expertise in-house – hire it. You only get one brand. According to a recent study, 19% of consumers said they would stop shopping at a retailer in the event of a breach, and 33% said they would take an extended break from shopping with a retailer. Even if data can be recovered, regaining customer trust could prove a costly exercise, and repairing damage to the brand following the impact of negative press may prove more costly still. Don’t let data breaches destroy your brand.

For optimization of newly built facilities, outfitting with surveillance to gather data should be based on the store design and what businesses want to capture, as well as in line with local governances on the use of surveillance technologies. Consultation with stakeholders is important to make sure the business obtains a solid Return on Investment (ROI) for the system. Build standards and adhere to them. Stay focused on the standards and review periodically to update and build your systems with meaningful data that you need to improve and sustain your business while protecting it.

The facility and security manager in conjunction with IT also plays a role, they need to understand the needs of their retailers and what is important to them and address these in the design of the overall building surveillance system. In addition, they must look for ways to address their needs and find efficiencies. An example of this would be to work with surveillance data to help dispatch cleaners and sanitation measures, after X number of people use the restroom or change room. Or use video technology to keep fire exits clear, fire lanes from being blocked by traffic and perhaps detecting aggression or a gunshot. These are some of the surveillance features that can really help facility managers do their job. But it can also hinder efforts if this type of data gets in the wrong hands.

Checklist for securing customer data

Data breaches don’t just happen to large retailers, they happen to stores and brands of all sizes. A Leger poll, commissioned by IBC, of 300 owners of small and medium-sized businesses with fewer than 500 employees, showed that 44 % of small businesses do not have any defences against possible cyber attacks, and 60% have no insurance to help them recover if any attack occurs. A good checklist to follow when securing customer data:

• Passwords, Passwords, Passwords. Don’t leave them as default (the number one issue). Use strong passwords or pass phrases with a minimum of 10 characters or more. Change them often, never share a password, and delete/change it after someone has worked on the system from outside

• Make sure data is encrypted

• Update your firmware regularly

• Use the rules of least privilege – give people access to only what they need

• Use privacy technology applications like Live Privacy Shield, redaction or masking of videos and only authorized personnel should have access to recorded video

• Maintain the system – do not set it and forget it

• Involve IT

• Cyber training for staff should take place at least annually

• Hold your third-party suppliers responsible for implementing technology that adheres to your organization’s cyber/privacy policies

The last thing to consider is validating what you are buying and not falling for a false sense of security. The new normal may see additional surveillance needs, but please ensure they meet all regulations and operating standards. Do your homework. Do not buy something that was created yesterday because of an opportunity. Use tested and verified technologies.

Rick Snook is the Business Development Manager for Retail and Banking at Axis Communications.  In this role he provides support and education and assists with providing comprehensive and sustainable solutions to our large end users while protecting our channel partners. Rick holds a Physical Security Professional (PSP) certification from ASIS International, Loss Prevention Qualified (LPQ) from the Loss Prevention Foundation, CPTED Level 1 as well as an Axis Certified Professional (ACP) designation from Axis Communications.