Retail Under Siege

Why Security Fundamentals Matter More Than Ever 

 Victoria’s Secret became the latest high-profile retailer to fall victim to a cyberattack, joining a growing list of brands reeling from data breaches. As attackers evolve in sophistication, too many organizations are still falling on the basics such  

phishing emails, misconfigured systems, overly permissive access, and outdated infrastructure. 

So why is it That the Retail Industry is in the Hot Seat of Cyber Attacks?  

The retail industry is a prime target for cyberattacks because it operates vast, distributed networks filled with high-value data including payment information, customer records, and supply chain access points. Constant infrastructure changes, seasonal traffic spikes, third-party dependencies, and high employee turnover create a perfect storm of complexity. This dynamic environment makes visibility and control difficult, while compliance requirements like PCI DSS add pressure. Attackers exploit these gaps, knowing many retailers struggle to consistently apply core security fundamentals at scale. 

No matter what the industry, it’s a stark reminder that despite advancements in AI-driven detection and automated response, the foundational principles of cybersecurity remain the most powerful tools in defending against modern threats. 

This blog explores why getting back to security fundamentals is critical, the role zero trust plays in modernizing those basics, and how network security best practices can stop breaches before they start. 

The Cost of Neglecting the Basics 

Cybersecurity isn’t failing because of a lack of innovation. It’s failing because of inconsistent execution. Over the last several years, major breaches in retail including Target, Home Depot, and now Victoria’s Secret trace back to the same weaknesses: 

• Overexposed access to sensitive data and systems 

• Lack of network segmentation, allowing lateral movement 

• Inadequate visibility into configurations and change management 

• Failure to enforce least privilege across user and application identities 

Attackers don’t need to find zero-day vulnerabilities when they can exploit unpatched software, default credentials, or improperly managed firewall policies. These aren’t cutting-edge attack vectors, they’re table stakes. And yet, they continue to work. 

Security Fundamentals: A Refresher, not Just Another Acronym of the Year 

Whether you’re a global retailer or a regional franchise, here are the timeless security principles that must be enforced consistently: 

1. Asset and Inventory Visibility

You can’t protect what you don’t know exists. This includes: 

• Identifying all endpoints, servers, and IoT devices 

• Mapping cloud resources and third-party integrations 

• Cataloging applications, databases, and users 

A real-time inventory lays the groundwork for risk prioritization, patch management, and policy enforcement.

2. Least Privilege Access

Access should be granted based on the principle of “need to know.” This applies to employees, contractors, applications, and even internal system-to-system communication. 

• Limit admin rights and review them quarterly 

• Ensure third-party vendors have restricted, monitored access 

• Segment privileges by job function and rotate credentials regularly 

3. Change Management and Rule Hygiene

Retail networks are dynamic. Stores open and close, seasonal promotions spin up systems rapidly, and cloud resources scale elastically. Without disciplined change control, firewall rules and access policies quickly become outdated and risky. 

• Implement rule review cadences and decommission unused rules 

• Track and document all network changes 

• Use automated policy validation tools to prevent misconfigurations

4. Patch Management

Vulnerability exploitation remains one of the most common breach vectors. Yet many retailers delay patches due to fear of downtime or lack of clarity around asset risk. 

• Prioritize patching based on asset criticality and exposure 

• Establish SLAs for different risk levels 

• Use automated scanning to detect unpatched systems 

Zero Trust: Modernizing the Fundamentals 

The zero trust security model of “never trust, always verify” isn’t a technology. It’s a strategy that enforces the fundamentals in a modern, dynamic IT environment. Zero trust principles harden your environment without adding complexity if implemented smartly. 

Here’s how zero trust maps to foundational best practices: 

Microsegmentation: Contain Lateral Movement  

Even if an attacker breaches a perimeter, microsegmentation can stop them from moving freely.

• Enforce segmentation by environment (e.g., POS systems vs. back office) 

• Create policies based on identity, device, and context 

• Continuously validate east-west traffic against known baselines 

Continuous Authentication and Access Control

Zero trust assumes no inherent trust, even for insiders. 

• Use MFA across all privileged accounts and critical systems 

• Implement behavioral analytics to flag abnormal activity 

• Expire credentials regularly and require just-in-time access 

Visibility and Real-Time Risk Assessment

Zero trust requires a complete and current view of what’s happening across your environment. 

• Monitor network traffic in real-time 

• Track changes to access policies, firewall rules, and configurations 

• Use threat intelligence to inform risk scores and automated responses 

 Network Security is Complex, but it Doesn’t Have to Be  

Too often, organizations view “network security” as a static firewall deployment. But in today’s threat landscape, network security must be adaptive, intelligent, and policy-driven. Here’s how modern network security practices fortify your defenses: 

1. Policy Management from Ground to Cloud

Retailers now operate hybrid environments that span traditional data centers, public cloud services, and edge locations like physical stores. Each environment brings its own access controls, yet they must work together. 

• Use a centralized policy management platform to create, enforce, and audit policies across environments 

• Normalize policies across vendors and technologies to reduce errors 

• Simulate policy changes before implementation to validate intent 

2. Change Automation and Approval Workflows

Manually managing policy changes is slow, error-prone, and often bypassed in the name of speed. 

• Implement policy-as-code principles to define changes as structured, reviewable templates 

• Integrate change requests with ITSM workflows (e.g., ServiceNow) 

• Automatically validate changes against compliance frameworks before deployment 

3. Risk-Based Policy Prioritization

Not all policy violations are equal. Focus resources on what matters most. 

• Score policies based on exposure (e.g., internet-facing) and impact (e.g., access to PII) 

• Flag rules that violate security best practices or compliance controls 

• Generate heatmaps and dashboards to guide remediation 

Security in Retail: Why It’s Different 

Retailers face a unique mix of challenges that make execution of security fundamentals even more critical: 

• High employee turnover increases credential and access risk 

• Distributed infrastructure complicates visibility and policy consistency 

• High volume of financial transactions makes them a prime target 

• Third-party dependence for POS, shipping, loyalty programs, etc. introduces supply chain vulnerabilities 

• Strict compliance mandates such as PCI DSS demand both technical and procedural rigor 

These challenges are not insurmountable, but they require a deliberate, fundamentals-first approach backed by intelligent automation and visibility. 

A Call to Action

For security leaders in retail, now is the time to re-evaluate how well your organization is executing the basics. Ask yourself: 

• Do we know what assets we have, and who has access to them? 

• Are we continuously reviewing and optimizing our firewall rules and access policies? 

• Can we prove compliance at any given moment? 

• Are we ready to respond if something slips through? 

If the answer to any of these is “no” or “not sure,” the solution may not be some bleeding-edge detection platform, it might be a return to the core principles your security program was built on. 

Final Thought

Retailers can’t afford to treat cybersecurity as an afterthought or compliance checkbox. Today’s attackers exploit complexity, gaps, and inertia. The best defense? A well-executed, fundamentals-first strategy that evolves with your environment, backed by modern zero trust architecture and strong network policy management. 

Because in the end, the basics aren’t basic, they’re everything. 

*** This is a Security Bloggers Network syndicated blog from www.firemon.com authored by FireMon. Read the original post at: https://www.firemon.com/blog/retail-under-siege/