Retail Cybersecurity

As consumers increasingly turn to online retail, physical retail locations must adapt to the changing consumer landscape. By taking a strategic approach to digitalization, Internet of Things (IoT), and customer analytics, retail stores can provide consumers with a flexible and personalized in-store experience that online retailers cannot achieve.

To accomplish this, retailers must deploy fast, reliable, and secure in-store wireless access. Powered by FortiGate, the Fortinet Secure SD-WAN solution ensures businesses can meet the bandwidth and quality-of-service (QoS) requirements of a retail network while providing industry-leading security controls and centralized policy management. Coupled with the Fortinet Secure Wireless Access solution, retail locations can deploy enterprise-class Wi-Fi access for guests side by side with business networks.

With these solutions in place, an organization can deploy FortiPresence for location-based analytics, and by leveraging the deep-packet inspection of FortiGate, FortiPresence identifies customers who are show-rooming and uses its presence analytics engine to send instant deals and special offers to phones and in-store digital signage that match offers available online.

Using FortiAP with FortiGate allows retailers to provide customers with a secure, omnichannel experience, while gaining many operational and marketing benefits:

• Fast deployment with automated radio management
• Rogue AP detection and reporting for PCI compliance
• Captive portal with social login
• Advanced visitor presence and positioning intelligence
• Dynamic location-based advertising
• Complete enterprise feature set without feature licenses

Retailers are operating widely dispersed store locations that may have very different network and security needs. As customers expect retailers to provide omnichannel shopping environments, retail networks continue to grow more complex due to the introduction of wireless guest networks and Internet-of-Things (IoT) devices. This means retailers are faced with tough decisions when it comes to balancing the customer experience and addressing the unique security needs of each location.

Due to this increased complexity and the growing shortage of skilled cybersecurity resources, retailers must operate more efficiently. By utilizing FortiManager, FortiAnalyzer, and FortiDeploy, retailers are able to operate with a high level of automation, save time with zero-touch deployment, and gain network wide visibility and control from a single pane of glass, allowing organizations to manage multiple retail locations with limited IT staff.

Fortinet solutions provide features that help retailers cope with growing network complexity and limited IT support, such as:

• Single-pane-of-glass view for centralized visibility and management
• Template, script, and application programming interface (API)-based configuration management
• A built-in suite of easily customizable security, performance, and usage reports
• Automated reporting to track retail regulatory compliance
• One-touch device provisioning with proven scalability to over 10,000 sites 

The Payment Card Industry Data Security Standard (PCI DSS) and the upcoming PCI Software Security Framework (SSF) set out strict requirements for how retailers must protect customer payment card information. A piecemeal approach to PCI DSS compliance may force understaffed security teams to choose between protecting the network and performing the activities necessary to demonstrate PCI DSS compliance.

With the changing requirements and increased complexities of meeting regulatory compliance, the difficulty of manually achieving network wide visibility and enforcing the required security controls only increases. Additionally, the desire to integrate web and mobile applications, order delivery solutions, and other services directly to the point-of-sale (POS) network significantly increases the scope of which security teams were traditionally responsible.

The Fortinet Security Fabric allows retailers to more easily demonstrate and maintain compliance with PCI DSS and SSF by allowing Fortinet devices and services to integrate with and gather information from third-party solutions. This includes an open application programming interface (API) ecosystem and a long list of existing third-party partners.

The Fortinet Security Fabric provides retailers with tools for efficiently achieving PCI DSS compliance, including:

• Centralized and consistent policy management
• Out-of-the-box reporting for PCI DSS and other regulatory controls
• Network wide topology mapping with device identification
• Real-time telemetry information for Fortinet products and third-party Fabric-Ready partner solutions
• Automated threat detection and response with automation stitching

Retailers need fast and scalable connectivity to enable seamless transactions in support of sales, inventory, purchasing, and other activities. Compared to traditional multiprotocol label switching (MPLS) lines for branch-to-branch or branch-to-headquarters connections, software-defined wide-area networking (SD-WAN) offers a more flexible approach to connectivity with faster performance at a better total cost of ownership (TCO).

While moving to an SD-WAN solution does provide increased flexibility and cost savings when compared to MPLS, retailers must now make new provisions for security. Instead of deploying firewalls and other network infrastructure in conjunction with SD-WAN devices, Fortinet offers an all-in-one SD-WAN solution with built-in security that enables retailers to achieve consistent security coverage, from the internet to the switching infrastructure. FortiGate Secure SD-WAN has robust SD-WAN threat protection, including Layer 3 through Layer 7 security controls, as well as industry-leading performance with the industry’s first purpose-built SD-WAN chip.

Many retail branches leverage their WAN links to deploy Voice over IP (VoIP) in place of separate phone service. VoIP applications not only place bandwidth demands on the WAN but their availability and experience quality can also be threatened by cyberattacks. FortiVoice provides a flexible and easily configurable VoIP solution that can be secured and isolated from public Wi-Fi networks using the switching and access control capabilities of the Fortinet SD-Branch. FortiExtender provides a 3G/4G backup to ensure that business can continue even in the event of a network outage.

FortiGate Secure SD-WAN has the lowest TCO in the industry and delivers a robust feature set to ensure high application performance and availability:

• Automatic recognition and optimal routing of over 5,000 applications
• Application database updates from FortiGuard Labs provide access to the latest malware signatures
• Complete threat protection, including firewall, antivirus, intrusion prevention system (IPS), and application control
• High-throughput secure sockets layer (SSL)/transport layer security (TLS) inspection with minimal performance degradation, ensuring that organizations do not sacrifice throughput for complete threat protection
• Web filtering to enforce internet security without requiring a separate secure web gateway (SWG)
• Highly scalable and high-throughput overlay VPN tunnels to ensure that confidential traffic is always encrypted

Fortinet SD-Branch enables retailers to combine their security and network access by providing features such as:

• Use of FortiGate and FortiNAC to discover and secure Internet-of-Things (IoT) devices on the network
• Integration of wireless and wired networks into the security infrastructure
• Centralized management of firewalls, Ethernet switches, and WLAN interfaces
• Single-pane-of-glass visibility and control for zero-touch device provisioning

Based on Fortinet research, 87% of retail organizations have suffered some kind of an intrusion. Moreover, analysis by FortiGuard Labs shows that up to 40% of new malware detected on a given day is zero day or previously unknown.

Because intrusions are inevitable, retailers need to be prepared with the right response. That requires, first of all, proven, real-time threat intelligence. FortiGuard Labs collects, analyzes, and classifies threats at machine speed with an extremely high degree of accuracy. Specifically, its comprehensive threat detection leverages artificial intelligence (AI) and machine learning (ML) to write signatures for new malware in real time and publishes them across the entire Fortinet Security Fabric.

Retail environments that are widely distributed, offer public Wi-Fi, or deploy IoT devices are at risk of unknown threats slipping in through customer or employee mobile devices and through a variety of application and user interfaces. When a FortiGate detects suspicious content that it cannot identify as a known threat, it sends it to FortiSandbox, which quarantines and inspects the content—including those encrypted by secure sockets layer (SSL)/transport layer security (TLS)—before they reach the network. FortiSandbox then can share information about any detected threats with the other security elements via the Fortinet Security Fabric.

Advanced threat protection must cover internal activity as well. Deploying FortiDeceptor allows retailers to identify malicious insiders or attackers who have gained access to the network. FortiInsight (which powers user entity and behavior analytics [UEBA]), meanwhile, monitors endpoints and users for anomalous, noncompliant, or suspicious behavior that could pose a threat to the business.

A multilayer defense is the best approach to network security and includes features such as:

• Robust detection and protection against known and unknown threats
• Identification and remediation of threats inside the business network
• Automated threat analysis in isolated sandboxes
• Use of deception for internal threat detection
• Real-time threat intelligence leveraging AI and ML
• Continuous updates through the FortiGuard network

By introducing digital innovations in their omnichannel shopping experiences, retailers can continue to attract and retain customers in the face of stiff competition from online retailers. However, digital innovation efforts are also needed to reduce costs and improve operational efficiency.

For example, many retailers are utilizing headless Internet-of-Things (IoT) and radio-frequency identification (RFID) technologies to streamline processes related to inventory and logistics. These additional—and often insecure—network nodes expand the attack surface. Retailers must consider a security-driven networking approach to such network expansions.

Part of this approach involves network separation and individualized security. Retailers can leverage Fortinet SD-Branch to run side-by-side business and guest networks, allowing IoT devices to be isolated from the public Wi-Fi network. Each network receives the level of security that it requires, and includes out-of-the-box access control to protect business IoT devices.

Fortinet solutions enable digital innovation throughout the retail enterprise with a variety of features:

• Wireless connectivity with high quality of service (QoS) and integrated security
• Unified visibility and control in multi-cloud environments
• One-touch device provisioning with proven scalability to over 10,000 sites
• Integrated network access control for visibility and protection of IoT devices

Retailers operate large networks of geographically distributed branch locations, making the use of cloud services a logical choice. Public and private cloud deployments both have their advantages, and the use of a secure software-defined wide-area network (SD-WAN) solution can allow organizations to decrease latency and reduce load on the headquarters network. However, network infrastructure that sprawls over private clouds, public clouds, and on-premises data centers often creates a very siloed environment that is difficult to secure.

The first step in deploying network security that is compliant with the Payment Card Industry Data Security Standard (PCI DSS) is achieving network wide visibility and centralized configuration management. The Fortinet Security Fabric offers native integration with all major cloud service providers, meaning security teams can enforce consistent security policies across the network from a single pane of glass instead of manually configuring the individual security settings offered by different cloud providers.

Fortinet also provides security solutions designed and built for cloud-based applications. The Fortinet web application firewall (WAF), FortiWeb provides protection for web-based services including company websites, payment portals, and web APIs and can be deployed on-premises as a virtual machine (VM) or as a Software-as-a-Service (SaaS) offering. As DevOps teams increasingly make use of cloud environments, a WAF is a vital component of maintaining PCI DSS compliance.

FortiMail includes an email gateway that protects cloud-based SaaS email solutions like Microsoft Office 365 and on-premises email alike. FortiGate next-generation firewalls (NGFWs) include an Infrastructure-as-a-Service (IaaS) option, offering scalable and cloud-native security for any environment.

Fortinet dynamic cloud security solutions provide retailers with the tools to optimize the security of their multi-cloud environments, such as:

• Native integration of cloud service provider (CSP)-provided security features
• Single-pane-of-glass visibility and management of multi-cloud environments
• Cloud-based firewall, email, and website protection solutions
• Artificial intelligence (AI)-based threat intelligence distributed in real time across the security infrastructure
• Automated traffic identification and classification, including encrypted cloud application data
• Secure SD-WAN to provide direct, secure access to cloud resources from branch locations