At this point, there is no denying that the retail sector is in big trouble. Even before COVID-19 brought the economy to a screeching halt, brick-and-mortar stores were struggling to attract customers. Retailers are beginning to navigate the muddy waters of reopening in a down market and adhering to new health and safety requirements and mandates. All of these factors make securing access to data and applications in a retail setting even more convoluted.

Every industry has its own specific set of identity and access management challenges, but the notoriously transitional nature of retail employment, coupled with its multilayered and distributed organizational structure, create an environment rife with vulnerable access points for malicious actors.

Here we have identified four of the top identity and access management (IAM) challenges retailers face, and we offer some ideas for overcoming these challenges to secure access to sensitive company data and applications.

Frequent Turnover

Retail employment isn’t always a long-term career path. Traditionally, many entry- and staff-level positions are held by students and others who aren’t planning to stay with the company indefinitely. The transitional nature of the average retail employee’s career requires organizations to pay close attention to their IAM policies and practices so they can implement efficient employee lifecycle management processes. 

Retail employees need to be provisioned quickly so they can start work on day one. But perhaps more importantly, these employees need to be deprovisioned immediately after terminating employment. Leaving access open to point-of-sale (POS) systems and other sales or financial applications is a huge security vulnerability that can be exploited by both internal and external attackers. 

Retail organizations are notoriously bad about taking shortcuts to expedite employee access to systems. For example, it’s common for employees to share passwords for training products and other resources to save onboarding and offboarding effort. In the event of a security breach, a large retailer could lose millions of dollars or expose millions of users’ personal information in minutes. Enforcing strict password policies is crucial to securing assets in these environments.

Multiple User Levels

Like many types of businesses, there are lots of employment tiers within every retail organization. Each level, and its associated roles, needs access to different applications and systems—sometimes only temporarily. Your IAM solution has to be able to coordinate and manage granting and revoking access to everything, from cash registers to mission-critical IT systems to inventory tracking.

For example, your entry-level retail staff needs access to the POS system, training materials, and timesheets. Administrative and operations employees need access to HR systems, accounting applications, and productivity software. A salesperson might move to a different store or require access to resources at multiple stores at once. In this case, your IAM solution will detect the change and Role-Based Access Control (RBAC) rules will automatically grant the appropriate level of access.

Logistics and transportation is a huge part of retail, and tracking who has access to what systems, and when, is a big job. Warehouse infrastructure alone requires dozens of different types of roles and permissions, and inaccurate access assignments in this area could cause not only a security hole but also a logistical nightmare of misplaced inventory and gaps in the supply chain.

Don’t forget about your third-party vendors when assessing access and identity management risks in a retail environment. A large retail company may do business with hundreds, or even thousands, of trading partners at any given time, each of which broadens your organization’s attack surface. 

In an ideal world, organizations want to ensure their own security regardless of who is accessing their systems and from where, which is where Zero Trust works well. In reality, securing access for contingent workers is often handled lackadaisically through ad hoc (e.g., ticketed) processes because HR doesn’t have a system in place to manage their onboarding and offboarding.  

If you aren’t practicing good access management hygiene, cyberattackers can take advantage of these contingent workers’ accounts and have a field day moving through your network. And your organization will be held responsible for affected users’ identity repair and monitoring, regulatory penalties, and other clean-up costs. 

Seasonal Employees and Special Events

Many retail businesses rely on seasonal employees in order to staff stores during busy times of the year or during special events (think Black Friday or end-of-the-year clearance events). In fact, some areas of the retail sector are so busy during certain times of the year that they base their choice of IAM solution on how easily it could scale IAM up or down when needed. 

Seasonal employees need access to the same systems as the regular staff, but they only need it temporarily. It’s important to be able to get them onboarded and offboarded quickly, easily, and securely.

Using IAM’s automated provisioning capabilities streamlines the onboarding process by granting access to the appropriate systems almost immediately. However, in many organizations, de-provisioning has a tendency to fall through the cracks, creating a security vulnerability. Automating the de-provisioning process, especially for temporary employees, helps secure your systems and applications from unauthorized access as soon as the employment period ends or the employee otherwise separates from the company.

Movement and Reorganization

We can expect to see a lot of movement within the retail space over the next several months—and possibly years. As retailers try to find their footing in our uncertain economy, many stores will close, some will reopen at a smaller scale, and some will follow the money and expand into new territories.

Store closures, unfortunately, result in mass layoffs, which require de-provisioning a lot of employees quickly. Some employees may move to another store location or position within the company with different permissions and access requirements. If a store moves to a new region, the government compliance regulations may be different, which requires a review of policies to ensure your IAM system monitors and documents any activities needed for audit purposes.

All of these scenarios require a robust IAM strategy that can handle major, sometimes sudden, changes without jeopardizing data and application security. 

Retail Security- Identity and Access Management Solutions

With the current level of churn in the retail sector, including higher than normal employee turnover, diminishing on-site sales, and a whole lot of uncertainty about the future of the economy, retailers must take the necessary steps to mitigate access-related security risks.

In today’s highly distributed, cloud-driven business environments, identity is the key to creating a security perimeter to protect sensitive customer data and business-critical applications. Identity and access management practices like single sign-on, multi-factor authentication, and federated identity management have replaced traditional username and password credentials, so users are required to prove they are who they say they are and that they are allowed to go where they want to go in the system.

IAM methodologies like privileged access management and identity governance take security to the next level by creating irrefutable documentation, monitoring user activity, and creating and enforcing access policies to protect even the most mission-critical and highly regulated data and applications from unauthorized access.

Schedule a consultation