Target. Adobe. AOL. eBay. What do they have in common? Big companies that have been the victims of big security breaches over the last year. In the case of online auction site eBay, over 145 million records were compromised, while Target dealt with upwards of 70 million breaches. While the rise of e-commerce and cloud data storage have proven to be a boon for consumers, a host of compliance and security challenges have emerged. How do retailers protect their bottom lines?
Security Challenges and Profit/Loss
According to a recent IBM research, data breaches significantly impact consumer confidence. In the case of one major breach, for example, the company saw a 46 percent drop in profit the quarter after the breach occurred. And while malicious actors are becoming more sophisticated, learning to ape the actions of legitimate consumers and distract retailers with DDoS attacks as they steal customer data, the public has little patience even in the case of advanced threats or zero-day attacks. Why? Consider the high value of stolen credit card data. Posted online, this data can instantly start generating revenue for attackers and causing serious headaches for consumers. Here, your customers’ bottom line is most important: If you hold their data, it must be close to your chest.
“The financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident,” IBM’s Global Retail Solution Lead Mark Yourek notes in a recent Insights on Business series on retail security.
With data breaches presenting such a significant risk, it only makes sense for companies to take every defensive avenue possible; but according to Dark Reading, almost one-tenth of retailers haven’t reported any cyber risks in financial documents filed with the SEC since 2011. What’s more, only 9 percent consider outsourced vendors a potential threat source and less than 10 percent have purchased insurance to cover any cyber exposures, accidental or otherwise. In other words, retailers don’t seem that concerned.
Threat Vectors
Breaches pose a real risk to confidence and profit; but are they really so common? As noted in the second article in Yourek’s series, retail companies occupy one of the top five targeted industries. Why? Because they process massive amounts of financial data, and many do so from multiple stores across multiple states every single day. As a result, there are hundreds of potential access points for an attacker. It’s safe to assume that, at any given moment, every major retailer in the U.S. is under attack; even if 99 percent of these attacks are deflected, the threat is real — and continuous. It’s also worth noting that security and compliance are not the same thing. Since PCI DSS compliance can be a long and complex procedure, it’s often easy to equate the process with effective security. Compliance is simply adherence to government or industry data-handling standards; security is the defense of that data.
So where do these attacks come from? While much has been made of disgruntled ex-employees or those with intimate knowledge of a company, only 3 percent of all attacks come from insiders. Just under 1 percent come from inadvertent actions, while 83 percent come from outsiders. And the reason for these attacks? In most cases it’s not high-level espionage, terrorism or social activism but simple, opportunistic behavior. Hackers know these companies are high-value targets and are therefore willing to toss whatever they can at retail networks to see what sticks.
But what creates these opportunities? Five factors stand out:
- End users accessing malware-laden websites or downloading infected files,
- Weak passwords,
- Insecure system configurations,
- Legacy or unpatched technology,
- Poor network security.
Effective Protection
So how can retailers overcome these security challenges to protect their bottom line? An in-depth security strategy is the key, and it starts with establishing a culture of security and speed. Users must be educated in effective password creation, safe network use and monitored while on corporate networks. Companies must also have a broader security plan in place, one that contains elements to effectively contain a breach, assess the damage, remove the vulnerability and then communicate responsibility to the public; a speedy response can help mitigate total damages and minimize the loss of consumer confidence.
IBM’s white paper uses the example of a multinational supermarket chain that wanted to make it easier for employees to share data and communicate internally. By designing a single sign-on (SSO) personalized work environment for every user combined with automatic access rights updates and monitored network use, the retailer was able to increase productivity without compromising security.
Network defense is also critical and must be viewed as a series of access points rather than a single, defensible perimeter. For example, retail organizations must secure network points that include POS terminals, e-commerce websites, third-party vendor links, employee access points and, increasingly, IoT-based devices such as printers and security cameras. Each network connection must be considered a potential breach point, even if it is only peripherally connected to “crown jewel” components. As a result, each connection requires security protocols that reflect its function as a part of the larger network.
Finally, retailers must make use of analytics-based security tools. These tools scan incoming data and resource requests to identify anomalous behavior then report this behavior to IT admins for further study. Effectively spotting odd behavior starts with monitoring everything from infrastructure logs to network data packets and DNS transactions, but to be truly proactive, it must go several steps further, reporting any odd network behavior in real time and intelligently adapting to network use patterns. The ideal analytics solution needs minimal oversight and should return few, if any, false alerts.
The New Security
Retailers are on the most-wanted list for hackers, who use opportunistic attacks to get in, get what they want and quickly get out. The first step in addressing retail security challenges is recognizing their destructive potential and coming to terms with the fact that no business is truly safe. Next, companies must determine how these opportunities are being created; finally, they must develop a holistic, end-to-end security model. Protecting the bottom line is no easy task but by addressing the severity of attacks, assessing the scope of threat vectors and then designing an in-depth solution, it’s possible to minimize security risk.