The Inconvenient Truth of Cybersecurity Failures
There are approximately 150,000 convenience stores in the U.S., generating over $600 billion in annual sales. That’s an average of around $4 million for each store. Any industry operating at that scale is going to be a big target for cybercriminals, and the particular dangers faced by convenience store operators is a common topic of conversation throughout the industry.
In fact, the National Association of Convenience Stores (NACS) places data breaches and payment security at the top of its list of “major issues affecting the industry.” Whether it’s the impact caused by a cybersecurity incident, the catastrophic reputational damage, or the class-action lawsuits that follow, it’s not difficult to see why one expert describes convenience store cybersecurity as “the harbinger of threats to corporate America.”
One of the most worrying aspects of convenience store cybersecurity breaches is the “groundhog day” nature of the incidents that keep making headlines. These incidents typically follow a pattern:
- Security is compromised by a malware attack, but the resulting data breach goes unnoticed for months.
- By the time the breach is discovered, enormous amounts of sensitive customer data have already been compromised or stolen.
- The retailer in question then switches into damage containment mode, but costly class-action lawsuits often follow as consumers attempt to gain some compensation.
High-Profile Breaches Create Lasting Business Challenges
A recent malware attack on the Hy-Vee convenience store chain resulted in a serious breach with customer data stolen from compromised coffee shops, restaurants, and fuel pumps. As a result, details from over five million customer cards were offered for sale on the dark web, with the breach going undetected for months. Multiple class-action lawsuits subsequently followed.
In late 2019, the Wawa convenience store chain revealed that 850 of its stores had been hit by a malware infection. It was suggested that the problem had gone undiscovered between March and December, by which time the details from over 30 million payment cards had been compromised. By the end of 2019, the company was facing a wave of lawsuits.
Better Security Requires Better Technology
One inconvenient truth is that the convenience store business model itself can be a major contributing factor for security risks. Store operators running dozens or hundreds of outlets have often used virtual private networks (VPNs) to connect remote stores and carry out vital IT management tasks (such as deploying new applications) while simultaneously attempting to keep costs down.
Unfortunately, technology trends—such as the rapid adoption of mobility, big data, social media, cloud services, and the Internet of Things (IoT)—means VPNs are themselves becoming too complicated to secure and increasingly vulnerable to cyberattacks. In contrast to data center security, which has improved to protect sensitive assets by embracing multi-layered solutions, many remote sites are left without the same levels of security.
As a result, these sites have typically become the “weakest links in the chain” and the favorite targets for cybercriminals. The uncomfortable reality is store owners who are under pressure to extend data center-grade security to remote sites often must do so with only limited onsite IT staff and extremely tight budgets. Yet they somehow still need to embrace the ambitious digital transformation strategies that their customers now expect.
Security Shouldn’t Force a Compromise
This is the central dilemma at play: how can store operators increase security without neglecting their fiscal responsibilities or limiting the customer experience? In short, they need the “win-win” of a simpler, more effective way to securely connect their stores—but with minimal expense and resources.
To achieve this, many chains are deploying secure Software-Defined WAN (SD-WAN) solutions, which are extremely effective at the network edge because they virtualize traditional WAN functions. With the SD-WAN approach, all network intelligence is handled via software, allowing centralized IT staff to define multiple remote locations simultaneously and then synchronize them using cloud-based administration.
This approach not only improves network flexibility but also reduces cost and complexity. It also empowers IT to automatically roll out software updates and stricter security policies across highly distributed enterprises. By extending the multi-layer security protocols from the data center all the way to remote locations, secure SD-WANs allow mission-critical applications such as credit card payment and customer loyalty programs to coexist with public applications like Wi-Fi on a single network.
SD-WANs Are a Smart Investment
So what should convenience store operators, and retailers in general do? On a practical level, they should view a consistent data connectivity and security strategy for their remote locations as an urgent priority. Being proactive about protecting customer data holistically across the entire retail environment is key to avoiding the all-too-familiar headlines seen in recent months.
By starting small with a secure SD-WAN pilot project, chains can explore the benefits of modern technology without disrupting their existing infrastructure. And after an SD-WAN environment is in place, they should continually test it to guard against new and emerging security risks. This type of approach is particularly important to thwart increasingly sophisticated cyberattacks. Otherwise, retailers that continue to rely on VPN solutions could find themselves particularly vulnerable to cyberthreats and all the accompanying business risks.