Chris Stoneff is Director of Professional Services at Lieberman Software
My experience in cyber security tells me that the retail sector probably represents the most fertile ground for cyber criminals. That’s because professional hackers understand that retail has never focused on IT security to the extent seen in other industries (like banks or payment processors) that handle customer payment card data. For most retailers, IT security is seen as a reactionary spend to resolve point in time incidents. With IT being perceived as a place to continuously reduce costs, the idea of investing in cyber security, unless absolutely mandated, is a waste of shareholder profits for many CEOs.
Security Takes a Back Seat
The business mentality of most retail organizations is to maximize return on investment by controlling costs, driving down prices, and turning over inventory as quickly as possible. Investing in information security to protect private customer financial information seems like a distant afterthought.
Take, for instance, the recent headline-grabbing data breaches at Staples and Home Depot. The executives at these businesses likely see other retailers as their biggest threats to profitability. You can bet that not a single executive lost sleep worrying about cyber criminals until after the data breaches occurred.
A big factor in retailers’ complacency has been that no amount of negative publicity seems to stop people from buying the retailers’ goods for very long. And any blip on the organizations’ stock market valuations is only momentary. The retail sector relies on humans’ short memories, since within a day or two the most prominent data breaches seem to become yesterday’s news. Most retailers have been right to assume that business will continue normally once they’ve ridden out a little bad publicity and replaced a few thousand loyalty cards. As a result, there’s been too little incentive to treat customers’ private data with care.
I think that most consumers would be horrified with the state of IT security at many retailers – especially given that these companies handle millions of payment card transaction daily, and collect a startling depth of private data for targeted marketing campaigns. To get an idea of the reams of sensitive customer data inside of retailers’ computers, consider the story of one retailer’s data collection process that’s so deep and precise, the company inadvertently tipped off the father of a teenage girl about his daughter’s pregnancy – before she’d told family members.
The Hidden Value of Customer Data
When it comes to protecting customers’ private data, the retail industry largely falls back on regulatory standards such as PCI-DSS. And in some cases these companies have been perfectly happy to pay the fines associated with non-compliance, rather than fix the problem.
It’s a puzzling situation. Despite high-profile data breaches where hackers specifically target retailers like Staples and Home Depot – there still seems to be a universal disregard of the poor state of security. You would think that senior IT security professionals working in this industry would make it a top priority to deal with the problem. Especially since they are likely to be the first to join the unemployment line after a breach, as we saw when Target’s CIO was asked to resign.
If we were to see a major retailer banned from handling payment card transactions for even a limited time, it would definitely serve as a wakeup call – but you can probably forget about this ever happening. Not until a major retailer takes a debilitating blow to its bottom line, its CEO is publicly named and shamed, and a good, old action lawsuit drains investors’ pocketbooks will other retailers wake up and notice.
While retailers might not seem terribly worried about security, as a customer you certainly should be. From a consumer standpoint, the theft of personal data is a significant risk. Whether it’s credit card information or your behavioural data, your private information could command a high price on the black market. Personal data of all kinds is the lifeblood of criminals who launch spear-phishing attacks. Building a website to look like a retailer’s site and sending out emails offering great deals isn’t terribly difficult, and many unsuspecting shoppers could fall for the “great offers” on the fake website. The subsequent theft of a consumer’s personal data is the first step toward accessing their bank account.
How to Secure Customer Data
The threat landscape changes every day, cyber criminals are learning and adapting, and every organization has to accept the fact that – at some point – they will almost certainly be compromised. Overdependence on perimeter security tools like firewalls and antivirus means that once the network perimeter is breached, hackers are more likely to gain easy lateral movement inside the network. And while antivirus and intrusion detection systems can react to known threats, they’re of little use against the zero-day attacks launched by sophisticated criminal gangs.
Fortunately, there are practical steps that retailers can take to strengthen security. First, there needs to be increased dialog between the IT group and corporate management, especially as online shopping becomes a greater part of the revenue stream. Too often IT’s warnings about security risks are ignored – sometimes because of the perceived costs associated with implementing solutions. The fact is, most IT departments fail to effectively communicate to executive management the real potential outcomes of lapse security – nor do they provide enough security awareness training to those who control the purse strings.
There also needs to be a broadening of the scope of regulatory compliance standards – both in the US and Europe – to cover all personal data, not just information related to bank and credit card transactions. It would also help if these regulatory mandates had teeth. The ineffectiveness of regulations such as PCI-DSS is demonstrated when retailers implement just enough security to “satisfy the auditors”, but never anything more.
Finally, retailers can save themselves – and the rest of us – a lot of grief if they’d simply focus on security fundamentals. If we’re to assume that targeted attacks against retailers eventually succeed, and at least some level of intrusion will occur, what happens next? How far into the network can the criminals reach, and how long can they remain there?
Retailers must ask – if conventional perimeter security products can’t stop advanced cyber attacks, which security solutions can restrict the lateral motion of intruders who do manage to penetrate the network? More importantly, what happens when this unrestricted and anonymous access isn’t prevented, or even detected?
Top five tips on how retailers can avoid a data breach:
- Understand where all your customer data resides on your network and make sure it is all adequately protected
- Make sure all customer data is protected, even the information stored on laptops and mobile devices
- Deploy a solution which allows you to keep track of data which moves. This will enable retailers to track where customer data has been, where it’s headed and most importantly whether or not it was encrypted during flight
- Employ an IT security expert. Don’t just rely on your IT team to manage security – hire a security expert who knows exactly what they are doing and how to protect your sensitive assets.
- Implement an encryption policy. Ensure all the data residing on your network is encrypted so that if any unwanted intruders do gain access, they will still not be able to understand any data stored