"The supply chain has become a cybersecurity minefield..."
With that quote, Stephen Boyer, CTO and co-founder of Cambridge, Mass.-based security ratings company BitSight Technologies, described the dangerous landscape retailers must navigate in today's increasingly technology-driven marketplace.
In his comments–taken from a March 3 news release about a study titled "Continuous Third-Party Security Monitoring Powers Business Objectives and Vendor Accountability" from Forrester Consulting, conducted on behalf of BitSight–Boyer cited the recent and much-publicized breaches at Target, Neiman Marcus, Goodwill and Home Depot as indicative of the widespread security issues facing retailers today.
The "cybersecurity minefield" is top of mind for retail executives, according to the BitSight study, which surveyed IT security and risk-management decision makers in the U.S., UK, France and Germany. Sixty-three percent of executives polled ranked critical data loss or exposure and 62 percent ranked the threat of cyberattacks as top concerns, while just 55 percent ranked standard business issues such as whether the supplier could deliver the quality and timely service as contracted.
While almost every business, no matter the industry, encounters cybersecurity threats, retailers are especially vulnerable for many reasons, industry experts say.
A reluctance to invest in comprehensive security programs is at the heart of the problem, says Lee Kushner, president of LJ Kushner and Associates, an information security recruiting firm headquartered in Freehold, N.J.
"For a long time, retail has not made information security a priority in the same way more regulated industries like financial services have, so [retail companies] are playing catch-up," Kushner says. "Customers' information is not usually considered the crown jewels of a retailer's organization–merchandising and marketing strategies are."
Data from the BitSight study supports Kushner's theory. "Across the nine types of third-party information we surveyed IT security decision-makers on, an average of 59 percent indicated a desire to track and monitor. Yet across those same nine information types, an average of only 22 percent were tracking with monthly or greater frequency," Forrester Consulting reports.
Playing the game of retail from that "catch-up" position produces "more low-hanging fruit" for hackers seeking businesses to target, Kushner adds.
Theresa Payton, CEO of Fortalice Solutions LLC, a Charlotte, N.C.-based company described as "a team of cybercrime fighters protecting against internet predators," agrees that retail is a prime target.
"Cybercriminals and fraudsters go where the money is, and they know that retail has the treasure they seek," says Payton, who served as the White House chief information officer from May 2006 until September 2008 during the Bush administration. "They see retail as a key resource for data they can sell quickly and for easy money in the cybercrime underground of the web."
"Many POS systems are vulnerable to attack because payment card data is unencrypted for some period of time, even a nanosecond, during which it can be captured by bad actors."
Retail is also where point-of-sale (POS) systems reside. That fact "is the biggest difference between a retailer and an entity in another industry sector," explains Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams LLP. "Many POS systems are vulnerable to attack because payment card data is unencrypted for some period of time, even a nanosecond, during which it can be captured by bad actors."
"The point-of-sale systems are a favorite target of fraudsters, and they will find a way into your store," Payton echoes. "They might choose one of your vendors, which was the case with Target. They might find weak administrator passwords, which has been what led to other breaches."
PLAYING THE CHIP CARD
EMV (Europay, MasterCard and Visa) technology–which embeds credit cards with a hard-to-counterfeit computer chip that holds the data usually stored in the card's magnetic strip–is one weapon retailers can wield in the battle against hackers. The technology is also referred to as chip-and-PIN (which requires a PIN to use), or chip-and-signature (which requires a signature for verification).
According to Chase Paymentech, EMV is becoming the global standard for credit card and debit card payments, and can help increase security and reduce fraud. But while U.S. retailers are required to be EMV-capable by October 2015, the new cards aren't a cure-all.
Evaluating Your Business: 3 Key Steps
Investing in security programs to protect against data breaches is vital to protecting any retail business against cybersecurity threats. As Theresa Payton, CEO of Fortalice Solutions, LLC says, "You will be attacked, you will be breached, and only a holistic strategy that encompasses the human element and the technology will help you minimize your losses."
But how do you decide where you stand from a cybersecurity perspective and what you should do to mitigate your risks?
Payton cautions retailers "to be wary of 'silver bullet' solutions marketed by security product companies," and advises all retailers to take three steps before deciding how to invest in cybersecurity.
1. Know where your most critical and sensitive customer data is. "Treat these as you would gold," Payton says. "You would know where your gold was at all times." She suggests asking your team: Do our vendors have access to customer data? Do they treat it like gold? Do we have specific monitoring on that data to know every time someone accesses it? Do we ensure that all user IDs that can touch customer data are only for those that need to touch it? Are the passwords strong, and do they expire every 90 days? And if we no longer need the data, do we have a digital shredding strategy to delete it or store it offline?
2. Manage your vendors. They are key to a successful cybersecurity strategy. Payton says to ask vendors the same questions you ask your team, and to establish service level agreements regarding breaches on their systems. "Require an independent, third party security assessment of all vendors. Require every vendor to have cyber liability insurance," she advises.
3. Practice a digital disaster. "The best advice I can provide is to prepare," Payton says. "You cannot prevent a hurricane, but you can move critical assets out of the way and practice how you would respond." She says retailers should establish an incident response team and ask your customer communications team, not the technology team, to run it. "You want all focus on the customer," she says. "Technology will play a great supporting role, but [the customer communications team's] job is to get your systems back online and to find out the details of the breach."
"A note of caution as you move to EMV for chip-and-PIN or chip-and-signature: If the implementation is not done correctly, you could still experience a breach," Payton warns. "One of the 2014 breaches at a retail store showed that hackers were able to exploit chip-and-PIN processing systems because they were not properly implemented."
Phishing–the attempt to acquire cardholders' usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication–is another security risk all businesses face. Sotto calls it ubiquitous.
"Every organization must be on the lookout," she says. "It is critical to train personnel to avoid clicking on links that might result in the download of malware. In addition, other types of social engineering attacks are rampant, such as calls from fake help desks seeking remote access to a company system."
The collateral damage left in the wake of a security breach can impact the targeted retailer for months or even longer after the breach has occurred.
"If malware is downloaded onto a company system, this can wreak havoc for the organization, and the damage can last weeks, months or years," Sotto says. "Threat actors often are in systems for a year or longer, stealing personal information, M&A and financial details, R&D data and other confidential business information."
"Long after the hackers have gone on to their next victim, the company must live with the unfortunate legacy of the data breach, which includes risk to the brand, its customer base and its suppliers."
Craig Newman, managing partner of Richards Kibbe & Orbe LLP, a law firm with experience in the financial markets and the business community, concurs. "Long after the hackers have gone on to their next victim, the company must live with the unfortunate legacy of the data breach, which includes risk to the brand, its customer base and its suppliers."
A July 2014 Retail Perceptions report from San Diego-based Interactions Marketing underscores the serious bottom-line damage a data breach can cause. According to "Retail's Reality: Shopping Behavior After Security Breaches," there was a 12 percent attrition rate of customers after a breach.
"I do not know any for-profit business that wants to lose 12 percent of its customers to the competition. Also of interest is that customers [in the survey] said if they stayed at the retailer, they were more likely to spend less and use cash only. That is also a losing proposition," Payton says.
While a retailer's brand can suffer significant post-breach damage, how the company responds "is your moment of truth," Payton says.
"How quickly you respond with care, concern and confidence is critical. Otherwise, your customers trust you less, suppliers are wary, and now the payment card industry wonders if you know what you are doing," she explains, noting that companies have a tendency to enter into "security theater" after a breach has occurred.
Kushner has witnessed the kind of post-breach behavior Payton describes.
"People come to us after a bad experience–a lot of them lock the barn door after the horses are out," he reports. "The board of directors and senior executives meet because they are losing customers and say, 'We have to fix this.' It's more a knee-jerk reaction because [the breach] is getting a lot more visibility. They start asking, 'Do we have the right person? The right strategy? What can we do so this does not happen again?'"
NO TECH CURE-ALL
Companies often think technology is the answer. "Everyone has a part to play, and technology becomes the quick fix everyone is looking for," Payton says. "But all breaches and fraud cannot be avoided by adding in new security products."
Neither is the PCI (Payment Card Industry) compliance standard, designed to protect personal information and ensure security when transactions are processed using a payment card, a cure-all. "The companies in the retail breach headlines were PCI-compliant before the breach," Payton notes.
Technology isn't a panacea, in large part because of what Payton calls "the human element" plays such a big role in retailing. "These humans make mistakes, and according to a recent IBM report, human mistakes have led to 90 percent of recent breaches. That is a staggering number," she says.
The best cybersecurity approach, experts stress, is to assess the situation–both the team and the technology–before a breach occurs.
"Understand the gaps and evaluate the capability of your internal resources," Kushner suggests. "Are they able to lead the charge and to build a strategy instead of just managing the operation of a function? Ask yourself, 'Do we have the right captain for the boat?'"
The answers to those questions are especially vital for retailers, since data breaches so quickly make headlines. "They become mainstream, everyman issues, so you have to make sure you're addressing the problem. You have to make sure you have the talent, the technology and the money to create and design the necessary safeguards and infrastructure so you are better prepared and don't end up in the paper," Kushner concludes.