Minimizing Cyber Threats
Managing risk is the starting point to successful security outcomes
Michael Chertoff, the former Secretary of the U.S. Department of Homeland Security under President George W. Bush, is working with the retail industry to shore up emerging cyber security threats. Chertoff serves as chairman of the Chertoff Group, a Washington-based global security advisory firm that assists clients in managing risk and protecting against a broad array of threats and crises.
The National Retail Federation announced in January the Chertoff Group would assist NRF members with security issues, including the theft of credit and debit card data. Chertoff will deliver a keynote address about cyber security during NRF’s 2014 Loss Prevention Conference June 10–13 in Fort Lauderdale, Fla.
STORES contributing editor M.V. Greene recently spoke with Chertoff about security threats facing the retail industry.
Your company is working with NRF on risk management and cyber security. Describe some of the security issues that are challenging the retail industry. How different or similar are cyber threats in retail compared with other large industries?
Enterprises of all kinds in multiple economic sectors are targets for malicious cyber activity … . Some of the enterprises have in common the fact that they are objects of criminals who are trying to steal financial information, identity information and credit card information.
In the case of retail, there may be issues about business processes and business strategy which are [targeted] not only by criminals but by nation states that are seeking to help competitors by pirating some of the intellectual property of the retail company.
You have a lot of commonality in terms of criminals and people stealing information. You sometimes have disgruntled individuals who may target an establishment that is a well-known brand. They may stage a denial of service attack that interferes with actual back-office operations of the information technology enterprise.
How sophisticated are the efforts of criminals to hack into retail enterprises?
In some cases you have criminals … using comparatively sophisticated ways of getting into systems. In fact, there is a black market of tools that you can buy online that will permit you to hack into systems. Sometimes, however, it is comparatively unsophisticated. For example, people will exploit employees by sending false e-mails … that will cause the employee to download or click on a link that will open up the enterprise to malware.
There is an element that involves educating the workforce, but also making sure that you are aware of the latest tools and techniques that the criminals are using … . In that respect, a key element in the strategy of security is information sharing among multiple enterprises so that when someone discovers a new attack, new technique or new type of malware, everybody else can be put on alert.
As an industry with many component parts — customer-facing operations, point of sale, extensive supply chain and vendor relationships — how should retail approach the challenge of cyber security throughout the enterprise?
One of the key insights is that you can never eliminate the risk entirely. … So what we talk about is managing the risk. That means understanding where the principal threats are, understanding where your vulnerabilities are and minimizing those vulnerabilities, and understanding the consequences … that would have the greatest impact on your strategy. You want to work in particular to focus on reducing the risk in those areas.
The ability to have a quick response plan is part of a layered defense. One of the challenges is to evaluate how much is enough. ... We try to work with businesses in the retail sector to look at their highest risks and establish a baseline based on best practices. You need to determine what kinds of investments to make so you are not breaking the bank but making intelligent decisions about the nature and degree of what you have to spend.
A number of major retailers have been confronted by high-profile incidents involving the breaching of customer payment card and personal information. What are some lessons learned from these cases?
Every enterprise of scale is likely to be breached at some point. ... The key is minimizing the breach, discovering it and reducing the consequences of it. That is what you have to focus on.
The retail industry is particularly attractive to criminals because of the amount of customer financial and credit information that flows within it. What companies in this sector need to do is not only make sure their hardware and software are configured in a way so as to reduce the risk as much as possible, but … constantly monitor what is going on in the network and audit that, just to make sure their defenses are addressing contemporary threats.
That doesn’t mean just focusing solely on compliance … . What you really have to do is take a functional approach [and] look at the keys to your business. In the retail business, a lot of that is the customer experience and customer trust. You then work on things that might undermine that trust and determine how to focus your attention to make sure you are addressing the vulnerabilities in that area. The risks will change, the tools will change and the methods of attack will change.
There are a couple things retailers are doing now … . The first is looking at better information sharing — when we see an attack coming … you want to share that information. Retailers want to compete on price and quality. They don’t want to compete on security.
The second critical area where I think retailers are focused is a strong response and recovery plan. You want to be able to react quickly ... when a breach is discovered and limit the damage as much as you can, and then have a forthright and comprehensive response.
The retail industry has been aggressive in the deployment of new mobile retail technologies that enhance the customer experience while improving overall operations. With such an increasing reliance on technology, what are the security risks and how should the industry mitigate these risks?
Obviously you don’t want to stop progress, but you need to be thinking about security in the architecture of these new methods from the very beginning. It cannot be an afterthought because the more devices that you use, the more vulnerabilities there are.
You can use digital security certificates that allow you to authenticate an individual’s identity with respect to an online transaction. With respect to devices, dual factor authentication is important, where it is not just the password but a fingerprint or iris scan that gives you greater confidence that someone has not stolen someone else’s identity.
Encryption can be used to protect data that is held in the enterprise. Finally, retailers are going to have to say to vendors that when interfacing electronically they are going to need robust security, too, so they won’t be the [gateway through] which criminals enter into the retail store system.