We’re on the cusp of the annual holiday shopping season, kicked off by the Black Friday extravaganza. It seems an appropriate time to address the state of cyber security in the retail industry.
My experience tells me retailers provide some of the most bountiful hunting grounds for cyber criminals. In fact, I think most consumers would be horrified with the lack of IT security at many retailers – especially given that these companies handle millions of payment card transaction daily, and collect a startling depth of private data for targeted marketing campaigns.
When Cyber Security Takes a Back Seat
The business mentality at most retailers is to maximize return on investment by controlling costs, driving down prices, and turning over inventory as quickly as possible. IT security is often seen as a reactionary spend to resolve point-in-time incidents, rather than a strategic asset that can protect customer financial information.
Part of this attitude likely stems from the fact that no amount of negative data breach publicity seems to stop people from buying a retailers’ goods for long. The retail sector relies on humans’ short memories, since within a week or two most data breaches become yesterday’s news. As a result, there’s little incentive to treat customers’ private data with care.
It’s a misguided approach. According to the 2017 Global Security Report from Trustwave, the largest share of data breach incidents involve the retail industry. That’s no great surprise when you consider the headline-grabbing breaches at places like Target, Home Depot and CVS. Executives at these businesses likely saw other retailers, not cyber criminals, as their biggest threats to profitability.
While many retailers might not seem terribly worried about cyber security, as a customer you certainly should be. From a consumer standpoint, the theft of personal data is a significant problem. Whether it’s credit card information or your behavioural data, your private information could command a high price on the black market.
What About PCI-DSS?
When it comes to protecting customers’ private data, the retail industry largely falls back on regulatory compliance standards such as PCI-DSS.
How has that worked out? Earlier this year, in its 2017 Payment Security Report, Verizon analyzed the “compliance patterns and control failures” of organizations subject to PCI-DSS. The findings revealed that more companies reached full compliance with PCI-DSS in 2016 than in 2015. For the first time, more than half (55.4%) of companies assessed were fully compliant at interim validation, compared to 48.4% in 2015.
On the surface that’s a positive statistic. But look at the flip side – nearly half of businesses that take card payments still fail to maintain compliance. And here’s another interesting data point from the report: Of all the payment card data breaches that Verizon investigated between 2010 and 2016 – nearly 300 – not a single organization was fully PCI-DSS compliant at the time of the breach.
How to Secure Customer Data
Effective cyber security is a moving target. The threat landscape changes every day as cyber criminals continuously adapt.
Meanwhile, many retailers maintain an outdated over-dependence on perimeter security tools like firewalls. And while perimeter security tools are effective against known threats, they’re of little use against zero-day attacks launched by sophisticated cyber criminals. This means that once the network perimeter is breached, hackers often have few restrictions on moving covertly throughout the network.
Today’s retailers should assume that they have already been breached. And then they should ask – how far into the network can the criminals reach, and how long can they remain there? And if conventional perimeter security can’t stop advanced cyber attacks, which security solutions can restrict the lateral motion of intruders who penetrate the network?
Take the notorious Target data breach as an example. It’s been reported that hackers originally broke into Target’s network using credentials stolen from a third-party vendor. Those credentials were the starting point the hackers needed to eventually install their point of sale malware.
And when it was all said and done, that incident probably ended up costing Target more than three hundred million dollars. It’s amazing to think that for a fraction of that cost – the price of a privileged identity management solution – the problem of uncontrolled privileged access to their systems could have been averted.
Want to learn more about managing and securing privileged access to your sensitive systems. Get our white paper, Best Practices in Privileged Identity Management.
If you like this topic, please subscribe to our Cyber Defense Newsletter for a monthly roundup of our blog posts.