In this digital age, an emphasis on cybersecurity should be top of mind when planning any kiosk project budget. According to the Breach Level Index, nearly five million data records are lost or stolen worldwide every single day, which equates to 58 records every second. In 2018, the US average cost of a breach was $7.9M with well-known companies such as BestBuy, Macy’s, Delta, ADIDAS, and several more forced to sort out the financial and reputation fallout of being hacked. Given the disturbing headlines, nearly all companies have dedicated significant portions of their IT budgets to protect their systems, transactions, and customer databases. Self-service kiosks are no exception within the retail transaction environment. Kiosk-enabled consumers need to have absolute trust and confidence that their self-service payments are being managed securely without any opportunity for compromise. In other words, vigilant security management in self-service deployments is no longer an option, it’s a requirement.
There are several mandatory security measures to take into consideration when planning a clean kiosk deployment. The most fundamental step is starting with best practices for system image management and standardization. A clean and properly configured golden system image is the foundational layer of a secure deployment. This would include eliminating all pre-loaded operating system processes and services that are not directly tied to the kiosk operation. By disabling the native shell / GUI in favor of a stripped-down (vector-free) alternative, the number of cybersecurity threat entry points are effectively mitigated.
In the ongoing war against zero-day vulnerabilities (an exposure point discovered by a hacker before a developer or operator), automated security patch management is an invaluable weapon in your cyber-security toolkit. Experts at Cybersecurity Ventures predict that by 2021, there will be one new zero-day exploit every day. To combat this, Microsoft releases monthly security patches to close the loop on these vulnerabilities discovered after a release to market. If these security patches are not regularly deployed, the end points are much more likely to be exploited by malware and/or hackers. Any kiosk administrator must stay current by sending automated patching updates frequently, minimizing any chance of vulnerabilities infiltrating the system over time.
In addition to OS preparation and security patch management, mastering endpoint security is among the most important elements of any cybersecurity arsenal. Comprehensive endpoint security is built with layers of necessary controls to protect your hardware from a breach on several complex fronts. Controls include:
- Host Device Control – Governed by a pre-defined whitelist of specific hardware components. All others are inoperable.
- Stateful Firewall & Packet Inspection – Managed with highly defined rules for inbound and outbound traffic regulation endpoint communication (who and what can communicate, and how will that happen).
- Active Threat Prevention – An integrated, extensible security solution that protects endpoints against known and unknown threats including malware, suspicious communications, unsafe websites, and downloaded files. This tool also prevents threats from accessing systems, scans files automatically when they are accessed, and runs targeted scans for malware on client systems.
- Host Intrusion Prevention – Provides low-level control over functions within the endpoint’s Operating System beyond the Firewall and Device Control modules.
- Full Drive Encryption – Obscures the underlying endpoint data and prevents unauthorized access.
To round out your cybersecurity strategy, a best practice is to conduct an objective and ongoing third-party review of the end to end solution, including documentation and processes. This external review is paramount in driving consumer confidence and obtaining PCI DSS compliance. In fact, according to the 2019 Cost of a Data Breach Report by IBM Security and the Ponemon Institute, concerted use of encryption, data loss prevention, threat intelligence sharing, and integrated security into the software deployment process are key cost mitigators for data breaches. Utilizing industry best practices to persistently evolve the solution is essential since security issues are dynamic with ever-changing breach risks.
The complexities of building, evolving and certifying a fully robust security solution can be costly, time intensive and daunting to take on from the ground up. Many clients are not armed with the necessary Security Engineering talent or third-party consultant resources, nor are they necessarily expecting to invest the significant time and energy developing complex systems to protect their deployment from devastating threats. Because KIOSK Information Systems recognizes the importance of closing this solution gap, we have invested heavily in building a professional Managed Services offering to provide clients with an end to end, fully vetted, and turnkey security solution. We employ a team of Security Engineers who have built a battle-tested security suite adopting best in class technologies, policies and processes to drive solutions to market quickly and securely. We commit substantial time with our prospective clients emphasizing the importance of including IT and security management tasks as an essential budget line item. In the end, whether it’s done in-house, contracted, or some combination of both – we cannot over-emphasize the importance of this service element as an integral part of a successful kiosk solution deployment.
Authored by Jeff Collinsworth, Managed Services Manager
KIOSK Information Systems