Cognizant Business Consulting
Helping organizations engage people and uncover insight from data to shape the products, services and experiences they offer
Learn More
  • Working to reshape business models, modernize products and enhance customer experiences to drive growth.
  • Reinventing and managing your most essential business processes with new ways of working.
  • Simplifying, modernizing and securing the IT infrastructure and applications that are the backbone of your business.
Cognizant Business Consulting
Helping organizations engage people and uncover insight from data to shape the products, services and experiences they offer
Learn More

Contact Us

THANKS FOR YOUR INTEREST IN COGNIZANT.

We'll be in touch soon!

x CLOSE

Refer back to this favorites tab during today's session for access to your selections.
Refer back to this favorites tab during today's session for access to your selections.x CLOSE

Perspectives

Eight Ways Retailers Can Avoid Digital Theft

2015-04-09


What went wrong at Target, Home Depot, Sony and other victims of widespread security breaches and how can concerned retailers ensure their names don't end up in negative headlines? Our security expert Beth Musumeci explains the stakes and outlines your checklist.

Save Article

What went wrong at Target, Home Depot, Sony and other victims of widespread security breaches and how can concerned retailers ensure their names don't end up in negative headlines? Our security expert Beth Musumeci explains the stakes and outlines your checklist.


There's never been anything like it. Target, TJ Maxx, Home Depot, Sony, Advanta and hundreds of banks—all victims of 21st century digital theft. Millions of consumers were violated and over a billion and a half in U.S. losses were counted last year in reported cases.

Retailers make a particularly attractive target for hackers, thieves and even nation states. This is because merchants handle lots of sensitive data, they are highly distributed (i.e., lots of open doors) and, in the words of bank robber Willie Sutton, "That's where the money is." Not just actual money—limitless fortunes can be made with stolen identities now.

Figure 1

On average, individual corporate victims lose hundreds of thousands of dollars and up to hundreds of millions in the case of Target. That includes actual losses, investigation and reporting costs, insurance and banking fees, regulatory and security compliance and, of course, liability lawsuits. Needless to say, the best way to respond to a data breach is not to have one. Constructively speaking, that means doing everything within your power to prevent sophisticated (and not so sophisticated) hackers from breaking and entering.

Retailers can do just that by adhering to the following eight practices, says Beth Musumeci, our Vice President of Enterprise Risk and Security. Her advice:

Know your vulnerabilities.

Every organization has actual and potential vulnerabilities. Some are obvious, but some are less so. While you'll never know them all, you can better anticipate and manage them with continuous and collaborative vulnerability assessments to help measure your exposure. Remember, the hacker assumes you are compliant with whatever regulations apply to your business. He doesn't have a checklist; he has a mission. You should, to

Validate, validate, validate.

Never assume that something has been done or been fixed. Demand proof. In the TJ Maxx hack, the testers assumed the wireless network was disabled. It wasn't and the rest is history. Moral of the story: Make sure you confirm the status of everything on every network. That includes computers and devices you don't think are operational or that were never turned off or formally decommissioned. Far too often, hardware isn't updated with the latest security measures because nobody believed the devices were part of the network. So validate your assumptions. Then do it again.

Know your partner network.

Sure, you know your network. But your network isn't the only thing on your network. You have point of sale terminals, suppliers, administrators, HR managers and thousands of others hanging on your network from the outside. Know who they are and what their security looks like. All the time. The Target attack occurred because a Pittsburgh HVAC vendor had legitimate access to Target's network for billing and invoicing. That company's vulnerability ultimately became Target's. It's not enough to have a contract requiring partners to secure things on their end. You must test partners' security in addition to your own.

Always keep an eye on the back door.

One of the most common network breaches occurs with default passwords or hardware configurations, frequently at the point of sale terminal. To counter this, every single POS terminal must have its defaults removed. Every one of them. All the time. If they are rebooted or reset, the defaults may have to be removed again. The same is true for every wireless router and connection. And since attacks are happening higher up the chain, you must validate your entire supply chain to prevent malware insertion. Insist that your vendors do the same.

Know your vendors and who they sleep with.

This includes not just your hardware and software suppliers, but also your lawyers and accountants, HR and recruiters, architects and engineers, consultants and third parties, cloud providers, business and technology service providers and consultants. Any of them can introduce a vulnerability into your network. So make sure they are trained and that they agree to your policies and data procedures. Then work your way up their supply chains, since their vendors can introduce vulnerabilities into your network, as well.

Prepare an "IoT" strategy.

You think it's bad now? Just wait. Once the Internet of Things is fully realized, there will be exponentially more data exposure, vulnerable handlers and open doors—billions of them—by way of all the new connected devices. Don't be afraid of this technology. OK, be a little afraid. Then develop a strategy. Make these IP-aware and addressable devices work for instead of against you.

Learn to say "yes."

When confronted with new technology and its associated liability, too many companies are too quick to say "no." The lawyers say "no," the regulators say "no," the CIO and IT directors all say "no:" No USB. No WiFi. No cloud. No IoT. No RFID. No iPay. That's the wrong answer. If you prohibit useful technology, your people will just move to simpler, often less-secure workarounds. So at least say "maybe." Yes is better. Then secure whatever is deemed useful instead of fearing it.

Make this a "chief executive" concern.

Preventing data theft isn't a security issue, nor is it a technology, legal or compliance issue. It's a company-wide concern, fundamental to the very core of retail. Security is not something you just bolt on; it is integral to every single business decision. Thus, security is a CEO and board of directors' issue. It enables and empowers every aspect of the company. With so much at stake, it deserves a seat at the big boy table—as well as a big boy budget and the ear of the CEO.

To learn more, please visit Cognizant's Enterprise Risk & Security Solutions Practice.

Related Thinking

Save this article to your folders


Save

PERSPECTIVES

The Way to a True End-to-End Social...

To ride the social media wave and cash in on emerging opportunities,...

Save View

Save this article to your folders


Save

PERSPECTIVES

Digital Transformation of U.S. Private...

In their efforts to go digital, U.S. private banks are still lagging behind...

Save View

Save this article to your folders


Save

PERSPECTIVES

Beyond Digital Asset Management:...

The amount of time consumers spend daily with digital media now...

Save View
Eight Ways Retailers Can Avoid Digital Theft