Retail Security: Cyber Tech Fuels Cybercrime
March 2016 Innovative Retail Technologies
In a post-EMV world, retail security experts are bracing for malice, menace, and misfortune to go digital. Here, CISOs from four of the world’s best retail brands share best practices for securing your cyber sanctuaries.
The statistics are nothing short of stunning. Ponemon’s 2015 Advanced Threats in Retail Companies study reveals that on average, retail organizations battle at least eight cyber attacks per year, 74 percent of them advanced threats and 50 percent DDoS (distributed denial of service) attacks.
What’s more, it takes retailers an average of 197 days to detect advanced threats, defined as cyber attacks designed to evade technical and process countermeasures such as firewalls, intrusion detection systems, and anti-malware programs. It takes another 39 days to contain them. With so much sensitive business and customer data at stake, that’s far too long. As the criminal element continues to innovate, it’s incumbent on retailers to stay a step ahead of them.
To gain some insight into addressing this critical problem, we convened a panel of notable information security experts from some of retail’s most venerable brands. Our esteemed contributors include:
- Jamil Farshchi, Chief Information Security Officer, The Home Depot
- Colin Anderson, Global CISO, Levi Strauss & Company
- Darrell Keeling, Chief Information Security Officer, Lands’ End
- Tom Meehan, Chief Information Security Officer, Bloomingdale’s and senior technical advisor/chair of the future of LP/AP working group, LPRC
We asked our panelists to share some of their organizations’ best practices for mitigating cyber security risks, with a particular focus on gleaning specific insight that’s applicable to the small-to-midsize retail market.
Assessing The Threat
The Home Depot’s Farshchi says the 2015 shift to EMV in the U.S. should put retailers of all sizes on notice for card-not-present (CNP) attacks (e.g., Web application threats). “When EMV was implemented in regions such as Europe, card present [CP] fraud declined precipitously, but CNP fraud spiked because it became an attack vector that was easier and generated lower risk of detection for adversaries,” explains Farshchi. Other common cybercrime entry points include POS malware, third-party intrusion, and legacy systems, to name a few.
At Lands’ End, Keeling adds that for the most part, these threats are highly device- and business-agnostic. “The intent of many incidents or breaches is never known. Nevertheless, each enables a threat actor to become more efficient at their craft in order to gain more riches or create more business disruption,” he says. Even small victories, he says, allow criminals to increase their stature and credibility in the underground community within the dark Internet. In the perspective of retail, whether online e-commerce or brick-and-mortar stores, Keeling says it’s debatable that all threats are equal across companies of all sizes. “To be more specific, malware, targeted email phishing, viruses, key logging, denial of service, cross-site scripting, password attacks, and insider threats have been the most prominent threats across industry verticals,” he says.
Levi Strauss’ Anderson says the business impact, attack frequency, threat actor skill, and attack complexity may vary across industries and organizational size, “but both large and small retailers must defend against cyber attacks targeting key systems and information as well as social engineering attacks targeting employees and customers.”
The difference in tier-one is often a simple matter of resources allocated to threat assessment and protection. “Some small and midsize retailers will have to reallocate their resources to handle a threat but may eventually return to a normal process once the threat is resolved,” says Bloomingdale’s Meehan. As we move towards more data and technically driven practices, he predicts that the gap will grow smaller in the space between tier-one and small to midsize retailers.
Cybercrime Is Opportunistic
Contrary to a common misconception, cyber criminals don’t discriminate based on the size of the target. The Home Depot’s Farshchi says that from a business standpoint, sophisticated criminals aren’t unlike you; they seek the path of least resistance to achieve a return on their investment. “While larger organizations potentially offer larger sums of valuable data, small to midsize organizations may offer lower barriers to entry (e.g., weaker protective controls) and/or lower likelihood of being caught (e.g., weaker detective controls),” says Farshchi. Thus, they’re attractive targets for attack.
“In sheer impact, the targeted attacks by criminals have had the greatest business cost, but in numbers, the negligent or accidental disclosures continue to dominate.”
Colin Anderson, Global CISO,
Levi Strauss & Company
Anderson says the proof that even small retailers are at risk is in the statistics. “When you look at sheer volume, you will find that small-to-midsize retailers are compromised more often than the smaller number of tier-one retailers,” he says. “While the payout may be greater with a large retail compromise, the criminal’s investment in time and money is also greater.” The payment and consumer information payoff of attacking small-to-midsize retailers may not be as great as that garnered from larger organizations, he explains, but the investment a threat actor makes to breach these smaller retailers is also far less. Meehan agrees. “Cyber criminals can make the assumption that a smaller company implies a smaller budget for IT security, or that they outsource their IT functions, which leads to a delayed response.” In many cases that’s true, and if you have customer data and perform financial transactions, you are at risk. “Three midsize retailers can yield more data than one large-scale breach,” adds Meehan. He analogizes a cyber thief’s target selection process by describing a car thief who walks down the street checking door handles on cars. “They could easily break a window, but they know they will eventually find a door unlocked. Similarly, cyber criminals target the more vulnerable first. They will go to the open door before trying to break a window or defeat a lock.”
Keeling offers that regardless of segment, size, or even industry, targeted organizations face many common challenges. “All businesses are in a virtual partnership to assist each other against these threats. All businesses need to ensure they are not allowing threat actors to springboard through the Internet between their business systems to find the weakest link that allows them to compromise the integrity of their systems.” He notes that consumer-centric businesses often share the same customers, and that breaches cause loyal customers to lose confidence and trust, ultimately impacting the industry on the whole. “In today’s competitive marketplace, consumers have many options to purchase merchandise at their fingertips. Nothing guarantees you will ever regain these customers after an incident,” he says.
Mobility Exacerbates The Retail Cybercrime Challenge
Mobile POS, clienteling, and inventory management are going mainstream, and our panelists recognize the additional risk that poses. Meehan says BYOD (bring your own device) and the Internet of Things (IoT) pose a particular risk. “I compare it to having more windows on the ground floor. Hacking and attacking have to do with access and opportunity. Mobile affords more of both,” he says.
Farshchi adds some perspective to Meehan’s contention, pointing out that there’s a meaningful attacker/defender asymmetry. “It all boils down to ‘the problem of one,’” he says. “Defenders must stop all attacks to be successful, while attackers need to be right just once in order to win.” The proliferation of mobile devices adds incrementally to the attacker’s odds. “Today’s businesses are fundamentally underpinned by technology, yet technology is often littered with security weaknesses,” claims Farshchi. “The greater the technology footprint, the greater the attack surface becomes, and the more difficult it is for a security organization to defend. Throw in emerging and/or legacy technology [both of which have a higher propensity for security weaknesses], and the security challenge becomes even more immense.”
As his argument relates to the adoption of mobile technologies, Farhschi agrees that the introduction of mobile devices certainly has the potential to introduce new challenges. If done correctly, however, he says the risk can be managed, and in some cases, even reduced if other legacy systems and business processes can be deprecated.
Despite the unanimous agreement that mobile device deployment creates the opportunity for risk, our CISOs agree that mobile must march on. “Mobile computing has changed how consumers interact and how businesses deliver services. It has been a great advancement for businesses, driving increased productivity and improving usability,” says Anderson. But, he says, the mobile landscape has added degrees of complexity to how information is accessed and how it can be secured. “Complexity is not security’s best friend,” he concedes.
In the days of fixed POS and physical stores, the retail threat landscape had, at a minimum, clear boundaries for retailers to work within. Not so in today’s highly mobile, omni-channel environment, says Keeling. Today, retail organizations need to review their risks associated with mobile platforms, just as they have done for many years with traditional in-house applications and systems. Again, it’s a more complex effort than it used to be. “One major concern for organizations is determining their legal right to access and manage employee mobile devices,” warns Keeling. “Many organizations have put policies in place to provide guidance around this issue; however, the opinions on who owns this data is changing daily among legal and governmental systems around the world.”
Noncriminal Activity: The Threat From Within
The 2014 Cyber Security Intelligence Index says that 95 percent of all security incidents involve human error. Meehan says education and awareness are the keys to avoiding it. “Keeping folks informed about phishing emails, the importance of a strong password, information sharing, and social engineering is a must,” he says. “You must have an InfoSec program to keep all levels of your population informed of the threat landscape,” he says. “This also helps folks keep personal information safe at home, as most people have received an email at home about money awaiting in a bank account, or a bank email asking us to log in to a bank we don’t have an account with.”
Farshchi agrees that insider threats are one of the more meaningful risks that all organizations face. “These threats are sometimes linked to financial gain, but are also tied to disgruntlement, ideology, and so on. The impacts can be severe, be it unauthorized disclosure of information or simply operational disruption,” he says. Farhschi adds that insiders are more knowledgeable about the organization and may have authorized access to systems and data repositories, making them more difficult to detect than external agents.
Anderson says mitigating information disclosure from internal sources is a matter of managing risk. “In sheer impact, the targeted attacks by criminals have had the greatest business cost, but in numbers, the negligent or accidental disclosures continue to dominate,” he says. “That human element will always exist and be a risk that must be managed.” Third-party partners pose an equally daunting risk. “With so many organizations looking to partners to help deliver critical business services, the partner ecosystem is always expanding. The growth in numbers of partners and employees with access to sensitive information only increases the probability a mistake will be made that compromises information assets,” Anderson warns. The importance of partner and supplier risk management is thus becoming a top priority for both large and small to midsize companies.
Keeling asserts that the Big Data revolution is exacerbating the threat of accidental misuse or distribution of sensitive information. “Retail organizations are collecting more data than ever in the effort to remain competitive, in many cases without knowing what they are going to do with it all,” he says. “This leads to more employees having a need to access more data for analysis, and it makes the internal protection of this data more complicated than ever before.” To minimize the risk of loss or misuse, Keeling says more users need to be trained on data access and handling protocols, especially as privacy and data laws and regulations are constantly changing in the U.S. and across the world. “A retailer in a small town in rural America might only have data from customers across a few towns or counties,” explains Keeling, “but if that retailer is in a tourism destination, it might collect data on customers across many states or countries. Knowing what data you are collecting and how to handle it can save considerable time and money in case of an incident.”
The Most Important Cyber Security Tools In The Box
Our expert panelists agree that people and process are the most foundational and valuable tools in a security arsenal. “Technology is necessary,” says Farshchi, “but without the people and the processes, technology is not particularly useful.” With the right people and processes in place, Anderson, Farshchi, Keeling, and Meehan offer a peek into their information security technology tool chests. Not surprisingly, access controls are at the top of the heap. Other unanimously chosen tech tools include:
- Data inventory/mapping technology. “A good understanding of the number of systems and applications you’re running, and where your data is being used and stored, is a must,” says Keeling. “Without this, cyber security metrics become less effective in understanding how your organization is being protected, and what level of potential data loss you may have.”
- Event detection and response solutions. “We will all be compromised, probably more than once,” says Anderson. The difference between seeing that compromise on the front page of the Wall Street Journal or as a footnote in a regulatory filing is how quickly you detect and respond to a breach.”
- Cyberthreat Intelligence. These solutions help retailers develop informed tactics for current threats and prepare for threats that may exist on the horizon. “Your program mitigation and communication strategy must evolve with the threat landscape,” says Meehan.
Sound Cyber Security Advice For Small To Midsize Retailers
Admittedly, the bulk of North American retailers can only dream of having the resources and tools to bolt down every piece of data they collect, much less hire a CISO. For many, cyber security is a matter of fundamentals, prioritization, and planning. “While doing the basics really well isn’t necessarily the most glamorous strategy, it will produce the greatest amount of risk reduction relative to the cost and effort,” advises Farshchi. Anderson suggests that trying to protect everything is a foolhardy endeavor. “Not every asset is equal, so invest your time and money wisely to protect your most valuable assets: brand reputation and customer trust,” he says.
“Defenders must stop all attacks to be successful, while attackers need to be right just once in order to win.”
Jamil Farshchi, Chief Information Security Officer,
The Home Depot
Both Meehan and Keeling say planning is imperative. “Have a plan to respond to a cyber event,” advises Meehan. “In some cases, this is more critical than the ability to defeat threats as it relates to growth and sales outcomes.” Keeling offers that continually reviewing and updating business systems and applications will protect what is most important to the business. “Always use a risk-based approach to ensure you are spending time, resources, and budget toward providing the most overall protection for business assets possible to reduce risk,” he says.
The advice of our panelists couldn’t be timelier. Mobile, omni-channel, and IoT innovation are all driving a groundswell of data in retail, much of it worth protecting. Unfortunately, only about a third of retailers represented in the aforementioned Ponemon study use technologies such as incident response to contain the impact of advanced threats and DDoS attacks. There is much work yet to be done.
CYBER SECURITY RESOURCES FOR SMALL RETAILERS: A LITTLE TECH GOES A LONG WAY
Despite the known risk of cybercrime, for many small retailers, comprehensive information security initiatives are little more than wishful thinking. Hiring dedicated information security professionals and deploying advanced detection and response technologies are out of the question. Even training associates on proper data handling protocol is resource-intensive. That’s the reality that launched My Digital Shield (MDS), an information security solution designed to help small businesses mitigate their vulnerability to cyber attacks.
We caught up with Andrew Bagrin, founder and CEO at MDS, to discuss how technology is changing the game for resource-constrained small businesses. While Bagrin agrees that training and awareness are keys to ensuring associates don’t open the door to cyber attackers, he says turnover and training resource constraints make it unfeasible for small businesses to rely on education alone as a means of defense. “Even if you do train well, someone will fail,” he says. “Someone will fall for the click.” That’s where technology comes in. “In 2014 and 2015, we saw big waves of cybercrime at retail locations, resulting in hundreds of thousands of stolen credit card numbers,” says Bagrin. “All it takes is an associate unscrupulously clicking on some bad link for malware to download, spread, and go unblocked and undetected.” MDS was designed to provide detection and defense in that instance. A small-footprint, cloud-based application that runs in the background, MDS recognizes malicious code, scans its contents, and blocks it. In the event malware becomes active on the network, the software detects it and responds with alerts. Bagrin contends that taking this basic control step will avoid 98 percent of breaches.
According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. Among those, some 60 percent go out of business within six months after an attack. That’s because small businesses can’t absorb the high cost of mitigation per stolen card, which includes outsourcing notification, retroactive credit monitoring, and highcost legal resources. That’s not to mention the loss of consumer confidence and its direct impact on sales, which is far more palpable to a local business than it is to Target.