What keeps cybersecurity industry leaders up at night? At NRF PROTECT, NRF’s annual loss prevention and cyber risk event, retail loss prevention professionals and industry experts spoke about assessing risks and working together across an enterprise to manage those risks.
3 threats to monitor
Arshad Somani from the Global Resilience Foundation said there was a 180 percent increase in phishing attempts/attacks from the first quarter of 2018 to the first quarter of 2019. Brent Wiedbusch, the senior vice president of IT with apparel retailer Tilly’s, said employee awareness is critical to maintaining security against phishing: “The insider threat is bigger,” he said.
POS malware and account takeovers
Somani pointed out that loyalty programs aren’t as secure as other systems in a retailer’s network, leaving them vulnerable to attacks. As for those other systems, Bernell Zorn, manager of program management at Nordstrom, recommended paying close attention to third-party vendors and partners. “What’s their reputation?” he said. “Where are they building the product?” Neil Lakomiak from Underwriters Laboratories Inc. seconded that: The risk comes back to how the software or system was developed, he said. Was security an afterthought or was it baked in during creation?
A chain of stores distributed over wide geographic areas makes it challenging to manage security, even more so when a company has built up a network of legacy systems. Wiedbusch said legacy software is one of the biggest challenges for organizations like these.
4 safeguards to enact
Ask the right questions
It’s OK to nudge a little, Lakomiak said. If you’re not asking, there’s no incentive to develop solutions. When talking to third-party providers, find out what’s expected of the end user to maintain the system. How is data protected when it’s in transmission — and when it’s stored within the company’s network?
Steve Welk, senior director of loss prevention for Barnes & Noble College Bookstores Inc., said he works closely with IT security teams, finding out what their concerns are. “It’s critical to be able to work closely together.” Wiedbusch agreed — partnerships are useful for things like benchmarking and information sharing. Developing that relationship between information systems and loss prevention helps the teams work together after a break-in, for instance, to not only determine what was taken (products) but what might have been left behind (malware).
Zorn said Nordstrom has a five-year road map it reviews yearly with vendors and tech partners to ensure it stays current. The retailer has a lifecycle and maintenance plan, and asset management teams; store teams are responsible for maintaining their own systems. While Zorn’s team communicates with them to make sure they’re handling updates and related tasks, he said, they “stay ahead of things.”
Third-party monitoring and alert services can watch systems around the clock; Wiedbusch said tools must be layered on top of existing systems and must be integrated “or people won’t use it.” Open source and free resources exist to help businesses, including the Global Cyber Alliance’s toolkit. Aimée Larsen Kirkpatrick, GCA’s global communications officer, said 85 percent of businesses who use the toolkit reduce their risk profile if they follow the steps. “Improving cybersecurity doesn’t have to be overwhelming or costly,” she said.
Visit the recap page for more coverage from NRF PROTECT.