Target, Home Depot, Staples, Neiman Marcus, Michaels, Sally’s Beauty. What once looked like a list of US retailers is now a list of hacking victims, as cyber criminals attack chains in hope of harvesting millions and customer credit card details.
Cyber security industry experts say it was the attack on Target in last year’s holiday season that shook complacent boards awake to the threat of malicious hackers. But as the series of more recent victims shows, not every retailer has got its cyber security measures sorted as we head into the shopping season of 2014. Here are the five key things retailers should be doing:
Get a third party assessment
Boards have often shied away from talking about security simply because they do not understand it. But relying on a company’s own security teams’ assessment is like having the students mark exam papers, warns David Burg, global and US advisory cyber security leader for PwC.
“The reality is that the beauty of objectivity, a separate set of eyes, maybe not the brain who created the approach, strategy and priorities works,” Mr Burg says. “Independent third parties help management understand what you’re good at and not.”
A third party – be it a security or consulting firm – can also compare your security to your peers, which is important as cyber criminals often choose the easiest targets.
Hire the right staff
Cyber threats have changed rapidly and defences are struggling to keep up. Experienced and capable security professionals are hard to find, particularly for retailers, as many of the best are lured by security or other technology companies. Paying the right salary for the right people is important, says Mr Burg. “The skills are in very high demand, so the supply demand equation means you have got to compensate this kind of professional, even though that can be a real problem when you are running on thin margins,” he says. “We don’t think many companies have that choice.”
Security should also be the responsibility of everyone in the organisation. David Katz, a partner and leader of the privacy and information security practice at Nelson Mullins Riley & Scarborough in Atlanta, says people needed to start viewing data as the “new cash”. “You wouldn’t leave cash on the table so everyone should be responsible for protecting revenue,” he said.
Build internal walls inside the network
Retailers need to assume their adversary is already inside the network and ensure the company “crown jewels” are protected. Once an attacker is inside the perimeter there should be many more walls for them to overcome. This should help with the problem of giving suppliers access to your computer systems, which was how the attackers entered Target’s network, through a refrigeration and air conditioning supplier who should have been far from the customers’ financial data.
Many also try to enter through employee remote access logins, says David Ostertag, global investigations manager at Verizon, so the security on these should be improved. “First off, is to remove the availability of single factor authentication, and replace with multi-factor authentication at the access point. If that was in place, it would never happen,” he says.
Cyber criminals will try to get the login details of the people with the most access – the “God-level credentials”, as Mr Ostertag calls them – so these should be particularly well protected.
The latest spate of attacks on retailers have all been caused by malware, short for malicious software, so swapping tips on how to deal with such attacks could be helpful. Buying threat intelligence from cyber security companies is important, but so is sharing human intelligence with your peers, as the financial industry does informally and through the Financial Services Information Sharing and Analysis Center.
Retailers should certainly take a leaf out of the banks’ book, argues Margaret Tofalides, a data protection partner at law firm Clyde & Co. “Financial services have led the way in cyber security protections, due to information sharing on cyber risks in the market and the adoption of protective measures against cyber crime,” she says. “Retailers should be taking similar steps to share information.”
Cyber attacks are going to happen and retailers are going to have to spend more on protecting themselves. But they should also be spending money on insurance for when the worst happens, says Mr Katz. The cyber insurance market is nascent but developing fast.
“I would be reviewing my [policies] very closely,” he says. “A lot of brokers and carriers sell policies and they may not appreciate the nuances and risks involved in these emerging areas. So we’re starting to see very specialised [insurance policies] being written. Brokers who specialise in this area are really critical to protecting an organisation.”