There's never been anything like it. Target, TJ Maxx, Home Depot, Sony, Advanta and hundreds of banks—all victims of 21st century digital theft. Millions of consumers were violated and over a billion and a half in U.S. losses were counted last year in reported cases.
Retailers make a particularly attractive target for hackers, thieves and even nation states. This is because merchants handle lots of sensitive data, they are highly distributed (i.e., lots of open doors) and, in the words of bank robber Willie Sutton, "That's where the money is." Not just actual money—limitless fortunes can be made with stolen identities now.
On average, individual corporate victims lose hundreds of thousands of dollars and up to hundreds of millions in the case of Target. That includes actual losses, investigation and reporting costs, insurance and banking fees, regulatory and security compliance and, of course, liability lawsuits. Needless to say, the best way to respond to a data breach is not to have one. Constructively speaking, that means doing everything within your power to prevent sophisticated (and not so sophisticated) hackers from breaking and entering.
Retailers can do just that by adhering to the following eight practices, says Beth Musumeci, our Vice President of Enterprise Risk and Security. Her advice:
Know your vulnerabilities.
Every organization has actual and potential vulnerabilities. Some are obvious, but some are less so. While you'll never know them all, you can better anticipate and manage them with continuous and collaborative vulnerability assessments to help measure your exposure. Remember, the hacker assumes you are compliant with whatever regulations apply to your business. He doesn't have a checklist; he has a mission. You should, to
Validate, validate, validate.
Never assume that something has been done or been fixed. Demand proof. In the TJ Maxx hack, the testers assumed the wireless network was disabled. It wasn't and the rest is history. Moral of the story: Make sure you confirm the status of everything on every network. That includes computers and devices you don't think are operational or that were never turned off or formally decommissioned. Far too often, hardware isn't updated with the latest security measures because nobody believed the devices were part of the network. So validate your assumptions. Then do it again.
Know your partner network.
Sure, you know your network. But your network isn't the only thing on your network. You have point of sale terminals, suppliers, administrators, HR managers and thousands of others hanging on your network from the outside. Know who they are and what their security looks like. All the time. The Target attack occurred because a Pittsburgh HVAC vendor had legitimate access to Target's network for billing and invoicing. That company's vulnerability ultimately became Target's. It's not enough to have a contract requiring partners to secure things on their end. You must test partners' security in addition to your own.
Always keep an eye on the back door.
One of the most common network breaches occurs with default passwords or hardware configurations, frequently at the point of sale terminal. To counter this, every single POS terminal must have its defaults removed. Every one of them. All the time. If they are rebooted or reset, the defaults may have to be removed again. The same is true for every wireless router and connection. And since attacks are happening higher up the chain, you must validate your entire supply chain to prevent malware insertion. Insist that your vendors do the same.
Know your vendors and who they sleep with.
This includes not just your hardware and software suppliers, but also your lawyers and accountants, HR and recruiters, architects and engineers, consultants and third parties, cloud providers, business and technology service providers and consultants. Any of them can introduce a vulnerability into your network. So make sure they are trained and that they agree to your policies and data procedures. Then work your way up their supply chains, since their vendors can introduce vulnerabilities into your network, as well.
Prepare an "IoT" strategy.
You think it's bad now? Just wait. Once the Internet of Things is fully realized, there will be exponentially more data exposure, vulnerable handlers and open doors—billions of them—by way of all the new connected devices. Don't be afraid of this technology. OK, be a little afraid. Then develop a strategy. Make these IP-aware and addressable devices work for instead of against you.
Learn to say "yes."
When confronted with new technology and its associated liability, too many companies are too quick to say "no." The lawyers say "no," the regulators say "no," the CIO and IT directors all say "no:" No USB. No WiFi. No cloud. No IoT. No RFID. No iPay. That's the wrong answer. If you prohibit useful technology, your people will just move to simpler, often less-secure workarounds. So at least say "maybe." Yes is better. Then secure whatever is deemed useful instead of fearing it.
Make this a "chief executive" concern.
Preventing data theft isn't a security issue, nor is it a technology, legal or compliance issue. It's a company-wide concern, fundamental to the very core of retail. Security is not something you just bolt on; it is integral to every single business decision. Thus, security is a CEO and board of directors' issue. It enables and empowers every aspect of the company. With so much at stake, it deserves a seat at the big boy table—as well as a big boy budget and the ear of the CEO.
To learn more, please visit Cognizant's Enterprise Risk & Security Solutions Practice.