Six Steps to Boost Data Security Protection
By Jon May, Nuspire Networks
The year 2013 was a wake-up call for retailers with regards to national data breaches, with frequency jumping 62% from 2012 to 2013. Eight chart-topping breaches exposed information totaling just over 10 million people last year, as opposed to one single breach of that size the year before.
Statistics show the fall-out from a breach extend far beyond financial repercussions, (plan for $11k per affected customer per breach). Here are the scary statistics:
• The 2014 Identity Fraud Study reported an increase of more than 500,000 fraud victims to 13.1 million people in 2013, the second highest number since the study began.1
• The average cost of a data breach per global organization this year is $3.5 million, up 15% from 2013.2
• Ever consider the effect breaches have on brand reputation? Along with a tarnished company name, there are vast financial implications that go along with these occurrences including decreased sales, millions spent on investigation and customer notification. So far in 2014, virtually all consumers (94%) worry about retail data breaches.
Customers hold retailers responsible (61%) about as much as they do the cybercriminals (79%). One-third claim they no longer shop at a specific retailer due to a past data breach issue.3
• Shareholder valuations suffer after a breach – and for a long time. An analysis of 13 companies with a large data breach found they each registered a sustained drop in their average daily stock price, and their valuation hadn’t rebounded six months after the breach.4
• Regulators take notice after a breach; so do lawmakers, attorneys general and others who can make life miserable for breached retailers.
Security takes no vacation. Trending evidence shows retail chains possess some traits that can attract cybercrooks. Notoriously money-conscious, retailers traditionally don’t spend all that much on IT security or planning, making them an easy target. Since point-of-sale stations historically functioned as dial-up systems, chains saw little value investing money into POS networks.
Currently, U.S. stores spend only roughly 2% of their tech budgets on security, with the bulk going to improving their e-commerce, according to IDC Retail Insights.
Retail chains can also be unenthusiastic about security around equipment, whether it’s IT hardware, employee laptops or mobile phones, or data that third-party vendors and others possess. A standardized network landscape has become uncommon in the retail sector. It’s critical to conduct real-time event monitoring, threat analysis and constant testing for preservation of customer data along with brand reputability; in-house security professionals don’t always possess all those capabilities, time or resources to take on such a responsibility.
Here are six steps that retailers can take to beef up their security and protection immediately:
1. Establish an uncompromising security approach. An aggressive, proactive security strategy is critical today. This posture must come from the CEO on down, it’s no longer just an IT matter. And it must apply to all aspects of security – from authentication and password protection to wired and wireless networks.
2. Assess the threat landscape. Examine security capabilities not just at headquarters but at each store and warehouse location wherever sensitive company information is available – including all wireless devices used by employees. Don’t forget the retail chain information that third-party vendors and others maintain, such as HVAC with the Target breach.
3. Take an audit. Analyze your IT and POS networks across all locations. Develop policies and practices for locking down networks and master the security that’s in place. Don’t rely on a piece of software. Analysts must examine and assess payment card and other data to detect patterns and irregularities to fine-tune the security process. This practice will never end.
4. Protect all avenues of attack. Limit unmonitored physical access to POS terminals. Train employees on how to spot compromised PIN pads and common scams crooks use to gain access to a POS device.
5. Consider outsourcing security. Chain stores have so many security issues to monitor, analyze and navigate. A managed security service provider may be the answer. MSSPs employ experts who understand each part of a network and possess advanced experience in threat detection and response. Often, they also own the latest “rogue device” scanning tools that continuously look for subtle shifts in network patterns and are able to quickly alert the retailer. In-house security professionals typically don’t possess such a complete understanding of all elements of protection.
6. Test, test, test. Employ a qualified cyber security contractor with POS system experience to try to penetrate your corporate and POS networks - more often than annually.
For all retailers, there’s no such thing as a perfectly safe network. Resourceful cybercriminals with increasingly sophisticated tech tools of their own as well as their steady persistence will constantly seek out vulnerabilities to exploit. But an aggressive, proactive stance minimizes a chain’s exposure. And that’s essential these days.
Jon May is program management department manager at Nuspire Networks, a state-of-the-science managed security service provider.
[1] Javelin Strategy & Research
[2] Ponemon Institute annual study for IBM, issued May 2014.
[3] Brunswick Group study, “Main Street vs. Wall Street: Who is to Blame for Data Breaches?”, June 2014.
[4] Brunswick Group study.
More Web Exclusives/Guest Commentaries