NIS2, the next EU data protection directive, is well on its way to adoption, and is expected to set completely new standards for the protection of data traffic across businesses. But one industry in particular that is going to feel the impact exceptionally hard is the retail industry, emphasises Oliver Paterson, Director of Product Management, VIPRE Security Group.

The New Directive = The New Strategy

The reformed NIS regulations, NIS2, is anticipated to be finalised at any moment. But all we know for now is that the upcoming EU directive is expected to focus on securing companies' data traffic of personal data. The new directive, which is still lacking final approval – and thus can still be tweaked slightly – will require all business sizes, from the largest enterprises to public sole proprietorships (with a few exceptions) to secure and document all data traffic to and from the company.

In essence, it is going to bring a lot more work to security teams to complete – making their job much more time-consuming and complex. Luckily, there are IT solutions and certificates available that will somewhat easily solve this problem for a majority of companies.

However, there are industries, more so than some, that will be in serious trouble when this directive comes in place if they don’t prepare now.

Danger in Retail

As a result, the retail industry is likely to be affected the most. Among other factors, 'critical infrastructure' businesses face even stricter requirements under NIS2, which apply, among others, to organisations with more than 250 employees, as well as those that sell food, such as grocery chains. These stores must be held responsible if an error or attack occurs, such as if a company loses sensitive personal data in relation to GDPR (The General Data Protection Regulation).

Where the retail industry comes into this is that they all have one thing in common – POS (point-of-sale) systems, which store masses of data. It is now the retail industry's most important tool that has also turned into its biggest weakness, as NIS2 will be expected to set up entirely new sanctions against companies that do not have their IT security under control, and if adequate procedures are not in place, the consequences could be devastating.

Point of Sales = Point of Attack

POS systems are standardised across the world. They almost all run on the same operating system, Embedded Windows, and have done so for many years – with a majority of systems based on Windows XP.

The security and bandwidth of a POS system in the retail industry must be to an excellent standard as it is crucial that these systems do not fail, or undergo any disruption – as if it does, the company will have to stop operating, and in turn, lose revenue. As a result of its importance, POS systems are thoroughly tested, and often come with a ten-year warranty.

However, this is also precisely why POS systems, based on Embedded Windows XP, still run on dated technology and hardware. But this doesn’t need to be a complicated transition. The problem is that those systems are rarely updated, and when IT criminals know the way into one POS system, they can copy this same tactic to be deployed against almost all other companies. The difference – and often also the first layer of protection – lies in the back-end system.

Presumably, this is exactly what occurred in connection with the 7-Eleven attack this summer in Denmark, who had to close all of its stores after a suspected “hacker attack” took out its cash registers and payment systems.

"But can't you just upgrade to Windows 10 or 11?" No, you can not. Windows 10 has a minimum requirement for hardware, a requirement that POS devices cannot meet, in addition to the high costs of replacing existing systems, as well as long down-time. And so, with this, what can retail businesses do to protect themselves from further implications?

Adhering to the Modern Threat Landscape

Firstly, it is of utmost importance to ensure that all staff are trained and educated on the modern threat landscape, and how they can protect both themselves, and the store, from being attacked. Rules and procedures must be in place, such as ensuring that employees do not use the POS computers to browse the internet, or keeping open and accessible USB ports away from public access.

The next thing that retail businesses should invest in is protecting individual devices with an endpoint security system. There are a variety of factors to consider, as it has to be an endpoint system that fits an older OS, namely Embedded Windows XP. However, there are solutions available with the sole purpose to detect abnormal behaviour – where in this instance, it is any behaviour other than the POS software itself.

Ultimately, NIS2 suggests that it is the Senior Executive of the company who has the ultimate responsibility of keeping a business safe – and a breach of NIS2 – which can be proven to be due to a lack of IT security – can result in not only reputational and financial damage, but also losing their job. Businesses would be better prepared to keep themselves - and their customers - safe if they trained and educated their staff on how they should handle data security, and if they invested in the right technology.

Conclusion

This is a wakeup call for the retail industry to take the cybersecurity landscape seriously. And with NIS2 suggesting that the penalty for data breaches will be up to two percent of the annual turnover (which often happens at the same time as a GDPR breach and thus up to four percent of the annual turnover), it would sink a majority of retail stores.