They may not know it, but many of the world’s retailers and hospitality firms are sitting on a security time-bomb: their Point-of-Sale (POS) system. Not only are the terminals and handsets customers trust with their credit card details a prime target for cybercriminals, but companies are adding to the vulnerability by failing to update their systems as often as they should.
One reason for this is that security just isn’t a priority. Few companies make the connection between cybercrime and the terminals they use to process sales, a fact underpinned by a recent PWC Information Security Breaches Survey which revealed that UK retailers only spent 6% of their IT budget on security – a figure that is even smaller in the U.S.
This leads to a situation where companies will conscientiously update the computer software used by their office staff on a monthly basis while struggling to even update the security and software on their POS systems quarterly. But, as the recent example of hotel chain Mandarin Oriental highlights, POS systems are just as vulnerable as the rest of a company’s network. Most run on a Windows OS and can be attacked using Windows malware that has been only slightly adjusted for the purpose. In fact, one could argue that many POS systems are more vulnerable than most other computers since they frequently run on operating systems that have reached or are approaching obsolescence – XP is still a popular standard in retail.
Another difficulty is the complex nature of maintaining POS systems. By their very nature, they are remote from the rest of the company network and this often means a manual update is required. Stores, restaurants or hotel branches are unlikely to have someone on-site who can perform these updates, which means that IT staff or contractors have to make site visits to perform updates. This is a necessarily time-consuming and costly process that has the potential to disrupt sales. Given that POS systems are often used in industries with high overheads and tight margins, it’s not surprising that management wants to keep such disruptions to a minimum. The problem is, this comes at an overwhelmingly high price.
The cost of neglecting POS security
As more than one US retailer has learnt – Neiman Marcus, Home Depot and Staples to name but a few – it only takes one security incident to slice millions out of your profits and leave you battling previously loyal customers in the law courts. In the case of Home Depot, a security breach led to huge losses – $43 million in Q3 2014 alone. While the big figures hit the headlines, the largest proportion of security breaches affect smaller and medium-sized retailers. And according to the Ponemon Institute’s Cost of Data Breach Study, the average cost of such breaches is a cool $3.5 million.
No-one wants to be ‘that company’. And yet at the same time, many retailers are blithely updating their POS security patches on a quarterly basis. To put it more bluntly, this means they are leaving one of their most critical business systems vulnerable for eight months of the year.
Even more worrying is the fact that most retailers are unwittingly heightening this vulnerability during critical business periods. Most retailers admit to avoiding disruptions when sales are busiest – meaning that at critical periods such as the Christmas rush, they are at the highest risk. And, while a security incident itself may only last a single week, the bad publicity – not to mention the cost of ongoing crisis comms and reputation rebuilding – can easily eradicate the 30% of annual revenue that most retailers expect to make in Q4.
Mitigating POS risks and protecting revenue
What’s most striking about these POS security risks is the fact that they are avoidable. In fact, according to the Australian Signals Directorate, at least 85% of intrusions could have been prevented by implementing the top four mitigation strategies. So, why aren’t companies doing it? It all comes back to the question of disrupting sales in the name of preventing risk. Well, I have news for you. In my experience – which includes working with a number of large U.S. and international retailers – companies don’t need to struggle along with manual processes that disrupt their business. In fact, using automated updates, they can eliminate most risks in just a matter of weeks.
These issues will be the topic of a 1E Webinar on April 24, 2015, when I’ll be taking attendees through the four essential steps that will ensure your POS system is low-risk rather than vulnerable. – and get your POS system secure in time for that holiday rush.