As c-store retailers implement enhanced inventory-management solutions, they should also consider doing more to secure inventory data.

By Ed Collupy

So much of the attention on data security in the last few years has been focused on payments and many companies throughout the convenience fuel retailing industry have implemented measures to protect their customer’s data.

But industry leaders indicated in a recent survey that data security, beyond payments, was high on their list of what keeps them up at night.

During this same period many leading c-store operators have been implementing enhanced inventory-management solutions that result in significant cost savings freeing up capital due by reducing overstock, having the right items in stock to meet customer demand, and being able to more accurately measure category margin performance.

In another recent study, shared at the RetailROI Super Saturday event, inventory management systems rank No. 3 for where retailers will be making investments in 2017.

RISK MANAGEMENT
Taking a view of data security through an information risk management lens leads one to realize that there is much at stake should any information driving business processes and decisions be breached. Any disruption that doesn’t ensure an adequate inventory of product to be sold is a serious concern and should be backed up in a business continuity planning process.

With many back-office and inventory management systems now available as hosted or managed service offerings (i.e.“the cloud”) third-party information risk management and data security should be a priority in any agreements between the retailer and software/service providers.

Securing inventory data also means securing price book data where you maintain your vendor/wholesaler costs and retails. Ensuring this data doesn’t find its way into competitors’ hands is important and some retailers may be contractually obligated to maintain the confidentiality of the product costs with their suppliers.

Data security is important when it comes to the inventory management lifecycle whether it’s receiving product from vendors, regular inventory checks and audits or ordering product.

Traditionally, there are three primary reasons for closely managing inventory data:
1. Ensuring your replenishment plan is sufficient to meet sales—keeping product on the shelves without building too much inventory;
2. Managing shrink—making sure that you’re actually selling the product rather than it disappearing; and
3. Making sure that you are making sufficient margin—that the costs and prices are current and accurate.

Security threats to these objectives could be a sales disruption or more serious impact where people, internally or externally, develop a scheme including systematically hacking into and modifying inventories.

PREPARING A DEFENSE
The cost of data breaches is getting cheaper for hackers, and access to the toolsets required to perform the hacks are becoming more readily available; tapping into your inventory data is becoming a more critical attack vector. The FBI in January issued an alert about “a definite uptick” in ransomware in businesses and other organizations.

Not only are these hackers demanding money to unlock what they’ve done, they also threaten to release sensitive or proprietary information. These infections can be devastating and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

A key consideration around data security and inventory management is to have in place a broad and complete security approach for third-party suppliers and vendor personnel, who have access into your systems. An integrated in-store system of point of sale, electronic payment system and back-office controllers create multiple entry points and a source of inventory data. If you allow third parties to access it, you have additional security work to do.

Consider the following as part of your defense strategy:
• Utilize or create an extranet for your supply chain systems with adequate separation from your other systems that contain sensitive data;
• Make sure you have solid Identity and Access Management standards, and apply them to third- party personnel accessing any of your systems;
• If third-party suppliers are accessing your store systems directly, secure those network connections.

Why do all this? Well, to prevent access to your margins, volume movements, daypart peaks and valleys, and the performance of your new food offer are just a few data points to safeguard.

A colleague at W. Capra, Matt Beale, whose team specializes in all things security—said recently, “And here’s the kicker… if your inventory data is walking out the door, how long do you think it will be until your credit card data or personnel data is holding its hand on the way out?”
In that case, the results can be catastrophic.

Ed Collupy, executive consultant at W. Capra Consulting Group has IT leadership and business team experience directing and supporting retail systems for store operations, merchandising, fuel and accounting teams in the c-store industry. He can be reached at [email protected].