Retail cyber security best practices: A checklist

Did you know that, without sufficient cyber security , your retail business could face fines of up to €20 million?

Not only that, but your reputation could also suffer irreparable damage.

Indeed, in the event of a retail security breach, 19 percent of consumers say they would stop shopping at the affected business. With a further 33 percent saying they would take an extended break from the retailer.

Can your business survive such a dip in sales? Never mind a potential fine that could cost you millions?

To avoid such heavy penalties, you need to make cyber security a core component of your retail business.

The best way to achieve this is to create a cyber security strategy that is unique to your retail business. After all, every retailer is different and faces different risks that require responses that help achieve business objectives.

To help you with this, we’ve put together some recommendations on five key areas of cyber security:

  • Information security governance and compliance
  • Staff cyber security awareness and training
  • Access management and password protection
  • Systems monitoring, penetration testing and data loss prevention
  • Cyber security audits and creating a culture of continuous improvement

We’ve also made checklists for each section so you can apply them to your retail organisation. These checklists are also available as an editable pdf for ease of use.

Fill in the form below to download your free Retail IT security checklist and take the first step to protecting your business.

1. Information security governance and compliance

Do you want to protect your business and avoid punitive fines? Then you need to comply with regulations such as the GDPR, PCI DSS and NIS. This proves that your cyber security is up to scratch and that you are following best practices.

The best way to guarantee compliance is to adopt an established security framework. This provides a reliable template for your security controls.

ISO/IEC 27001 lays out a framework of policies and procedures that cover the legal, physical and technical controls for an organisation’s information risk management processes. We recommend using this framework as it helps staff understand and embrace day-to-day cyber security.

To achieve compliance, you need to also review your security tools and processes. Thankfully, there are many tools available to help you with this.

We’re fans of Compliance Manager. As part of Office 365, it is a workflow-based risk assessment tool that helps you maintain compliance with most regulations. For example, Office 365 has many tools that can help you maintain GDPR compliance, as well as find and classify your sensitive data. It can also help you identify and map out all the personal data you hold.

Our final recommendation on governance and compliance is that you need to review your existing security controls across your retail organisation to ensure you are storing and using personal data appropriately. When people give you their personal data, you enter into an agreement on how you will use it. You need to make sure you’re keeping to your word.

Information security governance and compliance checklist

Activity Person Responsible Date Completed Details
Adopt an established security framework This provides a reliable template for your security controls.

We recommend the security framework ISO/IEC 27001.

Enter details on your adopted security framework and link to it for easy access.

Review security tools and processes This helps staff maintain compliance with the security framework and significant regulations.

Ensure all of your tools and processes help maintain compliance and are not set up in any way that puts your business at risk.

Review the following regulations:


We strongly recommend getting legal advice when reviewing your compliance with these regulations.

Disclaimer: Redcentric responsible for any consequences suffered by non-customers if your business is found non-compliant in any regulation.

Identify and map out all personal data held There are many tools that can help with this available but you can start by utilising features in your existing portfolio. For example, if you have O365, you can use content search to help you discover this data.

Find and catalogue what data you collect, how it’s used, where it’s stored and how it travels throughout your business and beyond.

Download this checklist

2. Staff cyber security awareness and training

According to the Information Commissioners Office, human error is one of the top causes of data breaches. So, if you want to keep your retail business safe you need cyber security awareness and training.

This includes day-to-day cyber security best practices and also an understanding of your retailer’s regulatory obligations. After all, how can staff follow regulations that they don’t understand?

Whether or not you hire an external training partner, check your existing products and services. Some providers supply learning resources that can aide in staff training. You can also find resources online to help you – like this Microsoft 365 Security Training video.

Both of these options can save you some money and give your staff the cyber security training they need.

When it comes to cyber security training, remember it’s an ongoing process. The modern workplace is a complex and ever-evolving arena. So be sure to keep up to data with cyber security best practices.

If you don’t, you may find your business’s security lacking in key areas like remote working, cloud services and online collaboration.

Staff cyber security awareness and training checklist

Activity Person Responsible Date Completed Details
Hire cyber security experts and/or collect cyber security training resources Depending on the training, this can be handled either internally or externally.
Assign different training tasks and/or courses based on job description Different roles need different training.

For example, a store assistant won’t need the same training as a marketing executive.

Schedule training programs for each employee Build a timeline that provides and maintains sufficient staff training.

Once complete, we recommend testing your staff to make sure they understood everything. After all your business may be at stake.

Review cyber security awareness and training measures and improve periodically Perform a complete analysis and update all training at least annually. Or, as regulations and the environment changes.

Download this checklist

3. Access management and password protection

In retail, peak periods like Black Friday or Back to School mean an increase in temporary workers. This means you need to watch both your physical and digital security.

Ensure you are aware of who can access unsecured areas such as shop floors, back offices and warehouses. Keep track of your workforce, granting them access only to the areas required to carry out their duties. This is the ‘principle of least privilege’ and you should apply it as often as possible.

To adhere to this principle, having strong access control procedures is critical. You need to regularly review who has access to important systems. When carrying out this review, be sure to:

  • Minimise the number of shared accounts
  • Restrict privileged or admin accounts to the bare essentials required to do their job
  • Ensure you have revoked access to people leaving your business

Another area of access management that all retail businesses need is an effective password protection policy. This is because compromised and weak passwords cause 80 percent of data breaches. A shocking statistic, considering it doesn’t need to happen.

To implement and maintain an effective password protection policy, you can use password management tools like LastPass, Keeper or Dashlane.

If you’d like help to optimise and configure these tools get in touch today and find out how Redcentric can help you protect your company information.

Access management and password protection checklist

Activity Person Responsible Date Completed Details
Review all the access granted to your important systems Unless you know who has access to what, you can’t be confident things are secure.
Assess whether each user has the access rights they need to work and no more. The safest approach to access is to apply the principle of least privilege. Audit all staff-members access and see if this is the case.

Ensure you remove all former and leaving staff members from your systems.

Implement and maintain an effective password protection policy Use password managers and talk with IT partners to perfect your access management.

Download this checklist

4. Systems monitoring, penetration testing and data loss prevention

Unfortunately, cyberattacks, like Distributed Denial of Service (DDOS), are on the rise. These can cripple your business for a long time, so you need to protect against it with ‘always-on’ protection and testing.

After all, when it comes to your business, you can’t be too vigilant.

That’s why we recommend protecting your business against DDOS attacks by implementing a WAF solution which can be configured on your public or private cloud environment.

Systems monitoring and penetration testing

Carry out vulnerability scans and periodic penetration testing to ensure that your current IT systems are in working order and not at risk from known vulnerabilities and threats. These tests will highlight any potential cyber security weakness, ensuring full IT availability during peak retail periods

With peak periods like Black Friday and Cyber Monday becoming more popular, with an average of £2.48m spent every minute in the UK, you need to make sure your business is ready. Because if you don’t, and you suffer a cyber attack, you could potentially lose out on a lot of revenue.

Data loss prevention

As a retailer, you are responsible for a lot of sensitive data, like credit card numbers and other payment details.

Data loss prevention software and services can help you identify and control sensitive data. But most products that do this are expensive and difficult to implement. There are many tools out there that can help you with this, so be sure to pick the one that’s right for you.

Go into the busy Black Friday and Christmas period with confidence. Implement these controls and carry out periodic testing of your defences so you can ensure your system is well-protected.

Systems monitoring, penetration testing and data loss prevention checklist

Activity Person Responsible Date Completed Details
Schedule vulnerability scans and penetration testing You’re only as strong as your weakest link – test your systems so you can identify vulnerabilities and fix them.
Enable ‘always-on’ DDOS protection DDOS attacks are very common. Find an effective, secure service or product to protect your systems.
Review your data loss prevention measures Don’t ignore data regulations. Make sure you have measures in place to minimise data loss.
Carry out continuous systems monitoring and security reviews Run checks year-round so that you’re confident going into your peak trading.

Download this checklist

5. Cyber security audits and technology investment

Fifty-five percent of UK businesses reported a cyber attack in 2019. This represents a 15 percent increase since 2018. Hackers are finding new and innovative ways to attack businesses, so you need to remain vigilant.

Cyber security is not a one-off task, it’s a continuous programme of measures that require constant review and improvement.

You should regularly carry out cyber security risk assessments of your existing technology. This should include audits on all business hardware and software. You should also ensure that you have the most up-to-date versions of all antivirus software.

Applying regular patches and updates to all your software is important to remove known vulnerabilities. Even if you don’t upgrade your hardware, turn on automatic updates to make sure your business is secure.

Once you’ve updated all your software, prioritise the other areas where technology may be able to address key security risks. This is important as, unless you have unlimited resources, you need to address the most critical risks to your business first.

Here are some of the security technologies we’d recommend investing in if you haven’t already:

  • Security Information and Event Management (SIEM). This technology collects, analyses and reports on log data, highlighting threats and suspicious activity in your IT environment.
  • Intrusion Prevention and Detection Systems (IDS/IPS). Combined, these two solutions both defend your business against hackers and discover any that may gain entry to your systems.
  • Advanced Threat Protection (ATP) and behavioural analytic tools. This tells you when a breach has occurred and lets you know how they gained access, what the threat is and where it is going within your system.

You can access these solutions (and many more) by partnering with the right managed service provider. They can bring the required skills and resources to defend your retail business against cyber threats.

Cyber security audits and technology investment checklist

Activity Person Responsible Date Completed Details
Carry out regular audits on all business software Check all business software for available updates. (Apps, antivirus, operating systems etc)

Update any and all software that requires it.

Immediately schedule the next check or turn on automatic updates.

Carry out regular audits on all business hardware Check business hardware is still under support from the hardware vendor.
Prioritise investment areas on further security technology Consider the best areas to invest in security technology and prioritise based on your business need.

Download this checklist

Create a culture of continuous improvement around cyber security

We hope that this checklist has been useful in helping you highlight and examine your retail business’s cyber security.

We also hope that we have shown you that for your business to be truly safe, you need ongoing improvements and reviews to maintain effective security. After all, if your cyber security slips, you could suffer hefty fines and reputation damage you may never recover from.

For your retail business, true ongoing, effective cyber security is possible. But it requires skill, effort and a time commitment you may not have.

When doing things right is so difficult and the consequences are so severe, why not get some help from a retail cyber security expert?


If you’d like to find out how Redcentric can help keep your retail business safe, get in touch today and chat to one of our experienced team of retail IT security experts.


Related Posts



0800 983 2522