Fragile retailers must take control of their own cyber security measures or risk further damaging consumer confidence
Earlier this week Dixons Carphone reported that a huge data breach, which took place last year, involved 10 million customers, up from its original estimate of 1.2 million. According to Simon Bain, CEO of BOHH Labs, with consumer confidence towards the high-street already fragile, retailers simply can’t afford to demonstrate lax attitudes in cyber security, notably towards threat detection methods.
Earlier this year the Centre for Retail Research issued findings, reinforcing the severity of the situation facing UK high-street retailers. The report revealed that since 2012, 61,000 stores had been forced to close, with 2018 expected to be the worst year since the financial crash of 2008. Already the UK has lost the retailer Toys R Us in 2018, while brands including Marks and Spencer, New Look, Carphone Warehouse, Mothercare and Carpetright are all closing a number of stores in restructuring programmes to try and adjust to the digital economy.
According to Bain, with a number of businesses on a knife-edge and few signs of recovery on the horizon, the last thing retailers need are high-profile incidents, similar to the Dixons Carphone breach, which will only serve to damage brand reputation and dent confidence further.
“Unfortunately, it appears to be the case of another day, another breach. This time it is Dixon Carphone – a major UK high-street retailer – which saw the names, addresses, and email addresses of anywhere from 1.2 million customers to 10 million, exposed. While the breach has only just come to light, it’s been revealed that the incident actually occurred back in July 2017. Worryingly, this reinforces how in the dark organisations are when it comes to security – in this case, for almost an entire year, the company had NO idea it had been impacted by a data breach. For a sector already with its back to the wall, this will only create more concerns and nervousness amongst both retailers and consumers.”
Bain continued discussing the specifics of the Dixons Carphone breach: “While findings on the how, who, and why of this particular attack are still coming to light, it does bring up a critical point around cyber security – breach detection is not protection. In fact, in a recent study sponsored by IBM Security with research independently conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study finds that the Mean-time-to-identify (MTTI) a breach is 197 days, and the Mean-Time-to-Contain (MTTC) is 69 days. This means that on average, it takes half a year to identify a breach! Imagine how much data an attacker could get in that amount of time while going unnoticed – the results will simply be catastrophic.
“This figure is unacceptable, especially since the security industry has seen greater support for threat detection tools over the last several years. This ranges from everything like network threat detection and understanding and monitoring traffic patterns, to endpoint threat detection and tracking information/behaviours on user machines and even popular threat intelligence tools like AI and ML for their self-learning capabilities and ability to recognise patterns and anomalies.
“Unfortunately, the industry has made people believe that detection can work. We are certainly not saying that no detection solutions work, and they should be removed from your security strategy all together, but it is clear detection alone is not enough. What we need is a new way to protect our data.”
“At BOHH, we believe the core focus must be on protecting the data at the foundation level. Given that a business will easily spend millions on their data protection solutions, it would only make sense to secure the data itself as it comes through and sits in your database.
“Finding data-centric solutions like a Secure-Data-as-a-Service (SDaaS) solution that acts as a layer between the user/application and the back-end data store, enables protection of all stored data, no matter where it is located. It does this by uniquely providing field level security, removing these fields from the source, storing the encrypted data and separately, without changing the underlying database structure or using a keystore to manage the encryption keys. By doing this, organisations are removing not only the hacker threat to the data, but also the more prominent insider threat.
Bain concludes: ““Placing the emphasis on the data itself, not just where it comes from or where it is stored or being transacted to, it enables better protection for both external and internal threats that organisations desperately need to keep sensitive information protected. Considering how vulnerable the UK high-street is presently, it’s imperative retailers take control of their own security measures and leave nothing to chance!”