Retailers are coming to grips with data breaches and protection
The specter of cyber breaches has attracted a great deal of attention in recent years from retail organizations and their customers and vendors, along with regulators, policymakers and the news media. Spurred by highly publicized breaches, cybersecurity has emerged as a booming industry.
Only two years ago, retailers ranging from big box stores to office suppliers were hit with a series of highly publicized criminal hacking incidents where credit card numbers and other data were stolen. While merchants said banks’ fraud-prone credit card systems were to blame, it was retailers whose brand names were dragged through the headlines. Now, as cyber breach headlines seem to have shifted to sectors like banks and government, the question remains: Are things measurably better in retail?
The latest Verizon Data Breach Investigations Report says they are. Retail has dropped from 11 percent of breaches in 2013 to 6 percent last year. Banks, by contrast, nearly tripled from 13 percent in 2014 to 36 percent in 2015, the highest of any industry.
“It’s one of the questions all industries have, especially the retail industry,” says Rocco Grillo, executive managing director at Stroz Friedberg, which specializes in cybersecurity and digital forensics and advises organizations on breach incident response.
“Are we in a better state than we were 18 to 24 months ago? The first reaction would be that we are in a better state, no question. But at the same time there’s a lot of ground that needs to be covered.”
Consultant Deloitte LLP, in its annual Deloitte Consumer Review, highlights a dilemma facing retailers in the cyber arena. As digital technologies continue to proliferate in retail operations, helping retailers grow in ways unimaginable just years ago, these new tools also bring with them unintended consequences: Voluminous and sensitive customer data moving along retail computer networks brings increased risk of data breaches.
Retailers, the report says, cannot afford to be less than vigilant on data breaches, noting that 73 percent of consumers surveyed say they would reconsider using a company if it could not keep their data safe.
What is promising, according to Grillo and others, is that a knowledge base of security service providers and vendors is rapidly proliferating in the market — buoyed by the recognition from retail executive management that urgent action must be taken to stem threats.
“What we are really starting to see is companies getting their arms around the idea of cyber governance,” Grillo says, adding that cybersecurity is being defined as a key business issue at all levels of organizations. “Companies in the retail industry particularly are really getting their arms around this from a resilience standpoint.”
Dunbar Security Solutions, a diversified family-owned-and-operated security firm long in the business of cash management and safeguarding valuables, works with retailers as a managed services provider by monitoring, assessing and remediating network threats for a host of clients nationwide from its state-of-the art operations center outside Baltimore.
Dunbar President Darren McCue says his company’s approach to cybersecurity is all-encompassing and covers both the digital and physical worlds.
While hosting a recent tour of the Dunbar operations center, McCue said the company takes a comprehensive view of cybersecurity when working with clients, focusing on all the “central points” that impact enterprise networks: servers, smartphones, desktops, laptops, Wi-Fi systems, firewalls, intrusion detection software and Internet-based cameras.
Even a physical identification badge that is assigned to the network must be accounted for. “If you see someone on the network that has not been physically badged in, that’s a red flag,” McCue says.
All network devices leave fingerprints of sorts, and Dunbar’s systems and analysts monitor this activity in real time to determine if the incoming log data correlates to a threat to the business. Generally, McCue says, companies and organizations seeking to address cyber threats have an incomplete view of security.
“Those services and points need to be talking to one another,” he says. “We take each one of these points and connect them together to provide a more complete picture.”
As for how well retailers are doing in buttressing overall security efforts, McCue says the first consideration should be acknowledgement that the retail environment demands both digital and physical security.
Digital security, for instance, could seek to protect data that emanates from the multiple point-of-sale devices that operate throughout a store and are connected to the store’s network. Physical security could be something as basic as stationing a guard at an entrance to provide a deterrent or positioning video cameras throughout the store.
The key is that all elements of the security profile have to work in concert to be effective, McCue says. “We’ll go into a retail location and see they might have an alarm system but no monitoring,” he says.
As an example, a big-box retailer that experienced a highly publicized breach in 2014 spends untold dollars on cybersecurity protocols — but the hack came from a heating and air conditioning vendor accessing the corporate billing system.
“The point is, if there is even just one break in this chain anywhere,” he says, “all you need is a tiny hole to make your business vulnerable.”
In most cases, McCue says, it takes companies in excess of 200 days before they learn that their systems have been hacked, which puts them at great peril for theft of customer data.
“All you need is one day to do a lot of damage. Companies today are getting breached, and they don’t even know it. By the time they do know it, it is too late,” he says.
Grillo says he is seeing retailers stepping forward and doing a number of things on the cyber governance front. He is seeing more chief information security officer positions in retail than two years ago, and retail companies are also being more proactive in ensuring that their networks are compliant with Payment Card Industry Security Standards Council protocols intended to ensure that credit card information is protected.
NRF members come from more than 45 countries and all sectors of retail, from Main Street merchants to online retailers.