3 cyber threats and 4 ways to protect against them

What keeps cybersecurity industry leaders up at night? At NRF PROTECT, NRF’s annual loss prevention and cyber risk event, retail loss prevention professionals and industry experts spoke about assessing risks and working together across an enterprise to manage those risks.

3 threats to monitor

Phishing

Arshad Somani from the Global Resilience Foundation said there was a 180 percent increase in phishing attempts/attacks from the first quarter of 2018 to the first quarter of 2019. Brent Wiedbusch, the senior vice president of IT with apparel retailer Tilly’s, said employee awareness is critical to maintaining security against phishing: “The insider threat is bigger,” he said.

Brent Wiedbusch of Tilly’s on NRF PROTECT panel
Brent Wiedbusch, SVP of IT with Tilly’s, speaks at NRF PROTECT 2019.

POS malware and account takeovers

Somani pointed out that loyalty programs aren’t as secure as other systems in a retailer’s network, leaving them vulnerable to attacks. As for those other systems, Bernell Zorn, manager of program management at Nordstrom, recommended paying close attention to third-party vendors and partners. “What’s their reputation?” he said. “Where are they building the product?” Neil Lakomiak from Underwriters Laboratories Inc. seconded that: The risk comes back to how the software or system was developed, he said. Was security an afterthought or was it baked in during creation?

Legacy software

A chain of stores distributed over wide geographic areas makes it challenging to manage security, even more so when a company has built up a network of legacy systems. Wiedbusch said legacy software is one of the biggest challenges for organizations like these.

4 safeguards to enact

Ask the right questions

It’s OK to nudge a little, Lakomiak said. If you’re not asking, there’s no incentive to develop solutions. When talking to third-party providers, find out what’s expected of the end user to maintain the system. How is data protected when it’s in transmission — and when it’s stored within the company’s network?

Partnerships

Steve Welk, senior director of loss prevention for Barnes & Noble College Bookstores Inc., said he works closely with IT security teams, finding out what their concerns are. “It’s critical to be able to work closely together.” Wiedbusch agreed — partnerships are useful for things like benchmarking and information sharing. Developing that relationship between information systems and loss prevention helps the teams work together after a break-in, for instance, to not only determine what was taken (products) but what might have been left behind (malware).

System maintenance

Zorn said Nordstrom has a five-year road map it reviews yearly with vendors and tech partners to ensure it stays current. The retailer has a lifecycle and maintenance plan, and asset management teams; store teams are responsible for maintaining their own systems. While Zorn’s team communicates with them to make sure they’re handling updates and related tasks, he said, they “stay ahead of things.”

Aimée Larsen Kirkpatrick, Global Cyber Alliance
Aimée Larsen Kirkpatrick, global communications officer at Global Cyber Alliance, speaks at NRF PROTECT 2019.

Tools

Third-party monitoring and alert services can watch systems around the clock; Wiedbusch said tools must be layered on top of existing systems and must be integrated “or people won’t use it.” Open source and free resources exist to help businesses, including the Global Cyber Alliance’s toolkit. Aimée Larsen Kirkpatrick, GCA’s global communications officer, said 85 percent of businesses who use the toolkit reduce their risk profile if they follow the steps. “Improving cybersecurity doesn’t have to be overwhelming or costly,” she said.

Visit the recap page for more coverage from NRF PROTECT.

Related content

Securing Online Transactions from Digital Skimming
 
Executive brief on digital skimming risks to the retail industry and recommendations to mitigate these risks.
Read more
The increasing overlap between loss prevention and tech teams
 
How three retailers join the two functions of loss prevention and cybersecurity.
Read more
Retail Industry Identity and Access Management Best Practices
 
Executive brief on risks associated with managing disparate employee, partner and customer identity programs.
Read more