SPECIAL REPORT

Data Security

Data Loss Prevention Practices and

Proven Policies to Combat Data Breaches
A
s technology draws us deeper into a new age of
business enterprise, we are continuously
bombarded with waves of challenges and
opportunities involving those with malicious
intentions. These attacks come at us from every
direction as the ingenuity of these criminal minds
seeks new and creative ways to infiltrate our
information resources and engage in cyber warfare
against our businesses.
In order to survive these reprehensible
intrusions, retailers must fight back. We have to
defend our ground and take the necessary steps to
combat the threat. This requires that we build and
recruit the resources that will help us win the battles.
We must become cyber warriors in our own right,
defending our computer and information systems
against those seeking to seize and exploit the lifeline
of our business.
Hackers and like-minded mercenaries wage war
using information technology to assault our
computers and information systems through cyber-
related strategies. In the retail space, we primarily
have thieves looking for personally identifiable
information that can be exploited and turned into
cash. But there are other groups as well. There are
groups targeting organizations for their research and
development assets, intellectual property, and
corporate strategies. There may also be other
motivations.
To win these wars, we must find better ways to
secure our systems by building awareness, educating
our teams, finding and closing vulnerabilities, and
developing collaborative strategies to protect our
resources and defend our customers and our
companies.
Our greatest opportunity to overcome these
intrusions is through a comprehensive approach that
includes information sharing and best-practice
protocols that support a joint defense team. This is a
shared responsibility that will not only demand
innovative thinking, but joint cooperation throughout
an organizationand the industry. To prevail over
this imposing threat to the business, we have to work
together.
A team is typically at its best when the offense
and defense work well together. LP Magazine intends
to take this fight to the offensive by providing
information and resources that can be used to support
our efforts and strengthen our sentinel.
The Influence of Retail
Retail is the lifeblood of the American
economy, remarked Michael Chertoff at a recent
National Retail Federation (NRF) LP conference.
Having a safe space to operate is critical to the
successful operation of the business.
2|Data Security Special Report
According to the U.S. Department of Labor, the
retail trade sector is the nations largest employer,
with approximately 15.3 million jobs as of May
2014. Further studies show that total retail sales in
the United States topped $4.53 trillion in 2013
(EMarketer.com), representing 27 percent of nominal
U.S. gross domestic product, or GDP. While no
surprise to those leading the industry, these numbers
make it quite apparent that cyber threats can not only
impact the retail sector, but can also have a
substantial influence on the growth and stability of
our economy as a whole.
Chertoff, the former
secretary of the U.S. Department
of Homeland Security and now
the executive chairman and
cofounder of the global security
advisory firm the Chertoff
Group, feels that cyber security
issues have not received the type
of front-line attention that some
of the more visible and obvious risks have obtained.
With some of the more recent incidents that have
brought the issue front and center, it is becoming
increasingly clear that these types of threats must
become a business priority.
Weve seen broad exposure of systemic
vulnerabilities in our company infrastructures,
Chertoff said. Businesses are collecting more
personal information about customer preferences,
locations and behaviors, not to mention credit card
numbers. Organized groups have become very
sophisticated in their efforts, using strategies that are
complex and well planned.
Did you ever consider that something as simple
as a thermostat could leave your company vulnerable
to a cyber attack? To help keep customers
comfortable and shopping at a store, its common for
retailers to routinely monitor temperatures and
energy consumption in stores to save on costs and to
alert store managers if temperatures in the stores
fluctuate outside of an acceptable range. Often this
process is completed with the assistance of an outside
service provider with specific expertise to keep the
system efficient and cost effective. Yet this
seemingly mundane, unassuming process opened the
door for access into a companys database, leading to
one of the largest, most damaging data breaches in
retail history.
Whether the vulnerabilities are introduced by
employee errors or negligence, disgruntled
employees, partnering companies, or some other
weak link in our systems or procedures, the risks are
formidable, the possibilities are only bound by the
creativity of the criminal element, and no business is
exempt from the threats.
 Data security is about risk management, not risk
elimination, says Chertoff. There has to be a
strategy for managing the risk built on realistic
expectations. You have to understand what youre
facing so that you can make intelligent decisions.
There must be a full understanding of the threat, of
the consequences, and an assessment of the
companys weaknesses and vulnerabilities and how
they fit within the business.
Arming Ourselves with Experts
Many businesses are aggressively pursuing
different avenues to improve cyber strategies and
provide training and awareness opportunities for
company leadership. Industry conferences have taken
significant steps to offer quality sessions that provide
information, guidance, and direction on cyber-related
issues. Companies are bringing in top experts to
consult with their teams, perform vulnerability
assessments, and educate both staff and company
leadership.
Industry conferences have taken
significant steps to offer quality
sessions that provide information,
guidance, and direction on cyber-related
issues. Companies are bringing in top
experts to consult with their teams,
perform vulnerability assessments, and
educate both staff and company
leadership.
There are also various conferences held across
the country that specifically focus on information-
security issues, some intended for industry experts,
while others focus on training and education of
business leaders at different levels and areas of
responsibility. Larger events would include the RSA
conferences, which attract some of the best and
brightest in the field through annual conferences in
the United States, Europe, and Asia. Other
conferences may focus on specific or more intimate
audiences to heighten awareness and maximize the
learning experience, such as the Cyber Security
Summit. All of these efforts are intended to improve
our skills, keep our professionals connected, and
increase awareness of these critical business
concerns.
In many ways, we have been short-handed
when it comes to cyber warriors, states Ken Fuller,
executive vice president for the Cyber Security
Summit. Weve had tremendous success bridging
the gap by bringing in experts and educating
leadership regarding whats going on and how we
can better defend ourselves. By identifying and
securing thought leaders who can successfully
3|Data Security Special Report
communicate the message, educate them on what to
look for, and help determine the weakest link, we can
help our enterprises approach technology issues with
a broader perspective and a sharper focus.
Fuller adds, This is a real problem, and every
industry is susceptible. Every industry leader has the
responsibility to be aware and educated so that they
can best protect both consumers and the company.
The Veiled Bride
How many of us know that couple where one
partner just seems to spark so much in the
relationship? The person is fun, charming, and
likablehaving that special quality that draws others
in. They make friends easily. They can lead a
conversation, or listen with real or assumed interest
even when the subject is so dry and boring that it
would drive other people insane. We find them
interesting and attractive in different ways and at
different levels. We quickly trust them and believe
their sincerity. The other partner may appear cordial
and friendly, more reserved or withdrawn, or even
more negative or hostile. But this one person brings
us together and makes us want to establish a
friendship.
When it comes to data-security issues, the data
breach has that partnerthe one that draws us in and
seeks out our trust and friendship. In many ways, this
intimate colleague is critical to the success of both
the marriage and the extended relationships
attracting new and unsuspecting individuals on a
daily basis. In this partnership, the veiled bride is
social media.
The Power of Social Media
By using web-based and mobile technologies to
turn communication into interactive dialogue, social
media creates an effective channel for individuals and
groups to connect, interact, create, and share.
With businesses constantly positioning to make
news, build their brands, improve communications,
and grow their customer base, companies are using
email blasts and a plethora of platforms to include
Facebook, Twitter, LinkedIn, and YouTube to market
their products and services. These powerful
communication tools can have significant influence
on awareness, acceptance, and behavior. They play
an important role in many marketing strategies and
are also a common vehicle used by many of our
employees to network and communicate with one
another. Unfortunately, these same resources are
opening doors to many of our data-security issues.
Finding the Weakest Link
When cybercriminals are looking for ways to
breach our systems, the starting point to penetrate our
information typically has nothing to do with the use combat these threats. This involves a comprehensive
of credit cards, even when thats the information that approach that would include the following:
theyre attempting to obtain, says James Foster, A knowledgeable and educated team that
founder and CEO of ZeroFOX in a conversation with communicates well and works together.
LP Magazine. But they have to get in somewhere. A diverse team that can provide different
So what is the best way in? Attackers will look for perspectives and offer comprehensive value.
the weakest link and a way in that exploits or Expert external opinions that provide guidance and
manipulates the system at a point of vulnerability. will objectively review the plan.
Theyll often use tools that have mass adoption An adequate budget.
even if it fails a thousand times, the one time it does Privacy and compliance policies.
work gets them in. They are looking for a more A framework and foundation for governance.
covert way to get into the systemone where they As retailers expand their offerings and push
can feed on the users trust and delay detection. online services, internal and external policies, roles
When you put it together, the easiest venue to and synergies must be reevaluated, and a
leverage is social media. collaborative security strategy that includes loss
In our push to get ahead in the highly prevention absolutely must be part of the
competitive world of business, Foster commented conversation, Foster states. The success of the
that information technologies must reap immediate organization simply depends on it.
benefits. As a result the technology can be
significantly ahead of the controls. Security
measures can lag behind three to five years, he
added. A companys number-one asset is its people.
This is a common thread, and a prime opportunity for
access. Ninety percent or more of the malware is
getting in through social media.
Foster went on to describe a simple scenario as
an example. If a hacker wants to break into XYZ
Company, they may create an online persona that
mirrors the brands logo, verbiage, and marketing
style. They build the false content using one of many
social media platforms, along with a link that says
XYZ Company Rocks. If an employee were to
open the link, it can then open the door for the hacker
to breach the company.
While it may sound like a simple strategy,
hackers have become experts at disguising their
intensionsand it may only take one unsuspecting
employee to be successful. Regrettably, this is only a
single, basic example of a problem with prospects
only limited by the imagination and ingenuity of the
hacker. This is the challenge, and only one of many
issues that we can face.
Building Bridges
Defense in Depth When it comes to dealing with data-security
So, how do we combat these problems? issues in the business world, there are basically two
Unfortunately, existing plans are ninety percent kinds of companiesthose that have discovered that
reactive, which is like patching cracks in a dam with theyve been breached, and those that have been
bubble gum. Foster says. There has to be a plan, a breached and dont know it.
defense-in-depth strategy that proactively addresses While this may be a strong statement, it offers an
data security. In the information world, its about equally powerful message to the retail community.
firewalls, intrusion-detection systems, two-factor Brian White, who leads the global security services
authentication, and encryption. These defenses are business for the Chertoff Group, works with a broad
layered to make them more resilient. But there has to range of clients who are seeking a new strategic
be more. Our defenses must include a plan and a direction to meet their growth objectives. He
partnership that effectively creates a unified team to primarily focuses on cyber security and innovative
technology.

4|Data Security Special Report

 The retail industry has become a primary target
for malicious cyber activity, with both individuals
and criminal networks trying to steal financial
information, identity information, and credit card
information. But issues have the potential of going
even deeper. As demonstrated by recent U.S.
indictments against Chinese military officers accused
of stealing trade secrets from American companies,
there is even the potential for business strategies,
processes, products, and other valued information to
be targeted by nation states seeking to pirate
intellectual property and related business assets.
There are many ways that these breaches can
occur, states White. Thats part of what makes it several recent breaches, as well as the repercussions
such a complex issue. Some methods are fairly
unsophisticated, exploiting peoples natural
inclination to trust others, for example. False emails
may be sent to company employees, encouraging the
employee to open a file or download a link that
allows the criminal to back their way into the
network and ultimately exposes the business to the
intrusive malwarea process commonly referred to
as spear phishing. Other methods may be much
more sophisticated, with the cybercriminals investing
in any number of intricate tools that will allow you to
hack into the system.
While such threats can never be eliminated
entirely, a key aspect of any protection policy is
managing the potential risks. This involves
understanding where your vulnerabilities may occur,
what the consequences might be, and working
together internally as a team to minimize those
vulnerabilities. This is where retail must continue to
build the bridges within our existing infrastructure.
Throughout the retail environment, the LP and
IT departments typically have very different roles and
responsibilities. Their functions within the
organization are carved from distinctive stones,
dissimilar in origin, structure, balance and purpose.
In many ways, they even speak different languages.
However, there is also common ground and a
working relationship based upon shared tasks and
accountabilities. It is this relationship that must
continue to evolve.
When dealing with data risks in the retail
environment, theres increasingly a link back to the
LP teams. The investigation function is particularly
valuable, and a unified strategy only makes good
sense. For our security functions to be most effective,
our professionals must be a collective enterprise,
says White. This requires a comprehensive approach
as described here:
Recognizing our vulnerabilities to mitigate the
risks. This may also include consulting with
specialized professionals to establish controls,
5|Data Security Special Report
ascertain roles and responsibilities, and determine
effective and efficient protocols.
Increased communication and enhanced
cooperation. This is a shared responsibility, and
must flow both ways. There must be shared
perspectives and open channels to build these
bridges.
Additional training. Everyone responsible for
protecting this information must have a strong
awareness of the tools and the power of the data,
along with the knowledge and skills to manage the
risks.
With the depth, magnitude, and global reach of
for the businesses and their brands, there is clearly
greater awareness to the point that companies have
become much more sensitive to the threat. But this
awareness must be coupled with continuing
education, proactive controls, and actionable plans.
Every company should start with the proactive
assumption that their perimeters can and will be
breached, states White. There must be a layered
defense that would include the following:
Appropriate tagging and classifying of data based
on importance and sensitivity.
Robust policies and procedures that clearly identify
security expectations.
Strong password policies, network controls, and
access controls to include third-party controls.
Maintenance protocols and keeping software up-to-
date.
Appropriate education and awareness to keep our
teams current and informed.
A quick and diligent response-and-recovery plan in
the event of an intrusion.
Continuing and persistent evaluation and updates
as necessary and appropriate.
Every organization must evaluate their risks and
exposures and establish best practices based upon
their specific business needs. However, that approach
should not focus solely on compliance. What you
really have to do is take an active, functional
approach to the business, determine the risks, and
then make informed, intelligent decisions based on
the needs, vulnerabilities, and resources available to
the organization.
Perception versus Reality
Recent attacks on retailers, including Target,
Neiman Marcus, Michaels, P.F. Changs, and others,
have focused the attention of the entire retail
community on these cyber-incidents over recent
months, and all have an important connection in
cyber security expert and noted blogger Brian Krebs.
A journalist and investigative reporter who broke the
news on these and several other prominent breaches,
Krebs is best known for his
coverage of profit-seeking
cybercriminals. However,
beyond his experience, it is his
sharp instincts and insightful
approach that help him stand
apart. Recently he gave a
presentation at the 2014 NRF
loss prevention conference and shared some thoughts
that should make all of us take notice.
When it comes to protecting our critical
information, Krebs stressed the concept of perception
versus realityhow secure you actually are versus
how secure that you think you are.
Most companies think that the automated tools
that they have do a pretty good job at protecting them
from these attacks, he says. But where they really
need to focus more of their security budgets is on the
people to help them interpret all of the stuff thats
being put out, and how to respond to it. Too many
organizations spend way too much emphasis on the
tools, and not enough on the people.
Reflecting on several of the incidents that have
garnered his energy and attention, Krebs feels that
companies typically have all of the information that
they need to figure out that theyve had a breach, but
no one is looking at and interpreting that information.
He emphasized the importance of communication,
teamwork, and talent. He then proposed the following
model to guide those efforts:
Identify and protect your soft spotsDetermine
what information that you feel is vital to protect.
Know your enemyFigure out who youre likely to
be targeted by and what information they want.
Invest in talentToo many organizations rely on
automation for security rather than talent. Get
smarter about how you spend your security dollars.
For example, few companies have a chief
information security officer (CISO). Invest in
people and leadership.
Look beyond complianceA primary opportunity
lies in a failure to act on information that has
already been gathered.
For too many organizations, it takes a major
breach to get religion, he says. Do we really need to
experience another incident to find a common creed?
When describing himself on his blog, Krebs
reveals, Much of my knowledge about computers
and Internet security comes from having cultivated
regular and direct access to some of the smartest and
most clueful geeks on the planet. Maybe we should
all take his lead.
The Need for a Data Security Policy
While technology has helped to revolutionize the
retail industry, with this revolution have come new
6|Data Security Special Report
risks. There are many internal and external security
threats that put a companys data and data systems at
risk on a daily basis. As a result, the need to develop
internal information security programs as part of
general operations has become paramount in order to
implement protections against these threats.
Information security can carry different
meanings for different people, and depending on your
position in the company and specific area of
responsibility, definitions and objectives can vary
substantially. However, a common thread existsthe
ultimate goal is still to protect the security,
confidentiality, integrity, quality and availability of a
companys information assets. The need for an
information security policy is the foundation of any
information security program. This policy will be
comprised of a set of rules that govern the acceptable
use of technical resources, security practices, and
operational procedures within the company and the
supporting technological environment.
There are many components that make up a
strong security policy, but the most critical are that:
1. Corporate management supports the policy and
2. The policy aligns information security with the
core objectives of the business.
There must be unwavering support by the leaders
at the highest level of the organization in order for a
policy to weave itself into the day-to-day operations
of the business, and this will only happen if the
policy reflects our core business objectives. That
policy must be drafted with the primary motive to
support the business, while providing adequate
standards and controls that safeguard the business
and our customers at the same time. Some common
subject areas typically found in an information
security policy could include, but are not limited to:
Employee/management roles and responsibilities
Guidelines for acceptable and unacceptable use of
company resources, including Internet and email
Acceptable use of company software and hardware
Non-compliance issues
Incident management
Remote access and mobile computing
Information classification guidelines
User ID and password standards and management
Physical security
Data archiving, meaning how often each user
should copy information to an archive file, and
backup requirements
A framework and foundation for governance
Each subject will highlight employee
expectations and will typically include the dos and
donts of information security. Such policies will
also set a minimum standard for what controls are to
be in place and what practices are required in order to
maintain computing systems. For example, a mobile
computing policy might state, Antivirus software
must be installed on all company workstations and
servers used for revenue generating purposes. Policy
statements can also be used to define acceptable and
unacceptable behaviors. For example, Employees
are not permitted to use company systems to
download or email objectionable content, such as
jokes, chain letters, pornographic materials or other
specific file types that are more susceptible to viruses
and malicious programs. The need for an
information security policy essentially helps a
company limit its risk and propagates positive
behaviors which contribute to a safer, more secure
computing environment for employees to work and
conduct their daily business.
It is important to set some time aside and
familiarize yourself with your companys information
security policy. While these policies are becoming
more common place, practices and policies as well as
the method of delivery may vary from company to
company. You may believe that you are following
information security best practices in your daily
activities. However, you may also be surprised to
learn that there are some important security policy
responsibilities that you may not have been familiar
with.
Good Practices in Daily Activities
Protecting the data that we work with every day
requires persistent awareness. As loss prevention
professionals, we are exposed to a vast array of
sensitive information every single day. In addition to
investigative data and other case-sensitive
information, we often have access to financial data,
confidential records, personnel files, sensitive
statistical data, contracts, research information and a
host of other vital company assets. Every piece of
data that we access must be perceived as important
and considered a valuable asset, and we must always
remain concerned about the safety and integrity of
that data.
The corporate world has been hit by a wave of
security issues in recent years, exposing severe
weaknesses in the strategic practices of the business
community to deal with the protection of information
assets. Organizations of all sizes can fall victim to
what amounts to poor security planning, improperly
handling data and exposing their entire company
assets to potential breaches. Each of us ultimately
represents a link in the security chain, carrying a
critical responsibility to maintain the safety and
integrity of this information. Safeguarding sensitive
data is more than good business, it is a professional
responsibility.
A sound data security plan is built on several
key principles. First of all, take stock in what you
7|Data Security Special Report
haveknow what information that you have access
to in your files and on your computer.
Second, maintain access only to the information
that you need. Limit exposures by managing
accessibility (for example, store sensitive information
on a company server or other secure location and not
on your laptop), and properly secure or dispose of
what you no longer need.
Next, keep information in your care locked down
and protected by controlling access to the front
door; monitoring and restricting access to your
equipment.
Finally, plan ahead. Have a plan to respond to
security incidents in the event that they do occur.
Knowing how to react and respond will help to
limit our exposures and minimize potential risks
and damage.
Other security tips that we should follow on a
daily basis might include but are not limited to:
Keep operating systems updated as necessary and
appropriate. The newest version of any operating
system is generally the safest. Protect systems by
downloading the latest security updates to limit
vulnerabilities.
Backup your important data on a regular basis,
and store it in a separate location to minimize risks
of data being lost. Any data that hasnt been
backed up is at risk. Audit data storage by
conducting trial restores from time to time to
ensure that the data is actually being backed up.
Install firewalls on computer systems. A firewall is
a combination of software and/or hardware that
provides a protective barrier between a computer or
computer network and the public Internet. It
essentially protects your online gateway and blocks
unauthorized access to your computer or computer
network.
Use antivirus software on computers. A computer
virus is a program designed to copy itself into other
programs stored in a computer, infecting and
potentially damaging the files that receive it. Some
viruses are mild, while others are very destructive
and can wipe out a computers memory or even
cause more severe damage. Anti-virus software
continuously scans your computer looking for
viruses, and also checks incoming email and
websites for potential threats. Updates must be
performed regularly in order to stay current and
effective.
Use spyware protection on computers. Spyware is
computer software that is covertly used to gather
personal information as well as monitor user
activity and surfing habits; but can also have other
potentially harmful consequences such as installing
additional software, redirecting Web browser
activity, accessing websites blindly, changing
 computer settings, slowing connection speeds and Know how to notify appropriate parties
otherwise damaging or interfering with user immediately in the event that phones, laptops, or
control. Spyware protection must also be updated confidential documents are lost or stolen.
regularly in order to remain effective. Understand the appropriate policies and practices,
Protect passwords! Weak password protocols are a and maintain access to an emergency contact
common security flaw that can increase risks. number.
Change passwords frequently and use a strong Recognize that information security is not just
password that is difficult to guess or decipher. Use about protecting the technologyits also about
a combination of letters, numbers and other protecting physical assets, communications, access
characters. Do not share it with others, and resist controls and every aspect of our information
saving passwords when prompted to. networks. This would include the physical security
Do not open attachments in emails from people or of company premises, proper disposal of
sources that you do not know. Filter out unwanted confidential paper waste, etc. It is also about
spam email using spam filter programs when ensuring that your staff is adequately trained so
possible. Dont click on anything in a spam email, that they know what is expected of them as well.
even to unsubscribe. If possible, dont even open it. It is important to remember that good security
Take precautions when sending sensitive or practices do not stop when you leave the office every
proprietary information via email. Password day; you also take them with you when you travel or
protect documents when necessary. work remotely. In loss prevention, you have exposure
Only allow staff access to the information that they to different personnel at varying levels in the
need to do their job. For example, as employees organization. Being an advocate for strong security
move within an organization, access privileges can practices and cascading best practices to those around
follow and quickly mount. Ensuring that you helps increase awareness and protect
employees only have access to the information information. Individuals need to realize that
appropriate for their current position can be an companies do not solely rely on technology alone to
essential step in avoiding manipulation and/or loss keep a company secure. Information security is really
of data. everyones responsibility.
Do not use shared devices, such as hotel By capitalizing on opportunities to enhance our
computers, for information that should be knowledge and education, we are making an
protected. investment in our own future. To learn more about
When possible, encrypt any personal information developing your leadership skills and the certification
held electronically if it might cause damage or process, visit losspreventionfoundation.org.
threat if it is lost or stolen. Encryption is the
changing of data into code, a procedure that
renders the content of a message or file unreadable
to anyone not authorized to read it.
Audit data storage for security policy enforcement,
access control, and proper destruction of
appropriate content on a regular basis. Delete
information that is no longer necessary, and disable
functionality that you dont need. Do not dispose of
old computers until all pertinent information has
been securely removed by authorized technology
or by destroying the hard disk. Ensure that
computers and other equipment are appropriately
cleansed of information, software, etc., before they
are allocated to another employee.
Always lock your computer when you are away
from it. Log off and shut down your computer prior
to leaving for the day.
Develop and implement appropriate security
protocols regarding the use of removable storage
devices, such as external hard drives and flash
drives. Such devices can hold significant amounts
of information, and should be carefully monitored
and tightly controlled.

8|Data Security Special Report

Cyber Insurance in a New Age of Liability
In the wake of the Target data breach and the age
of cyber-everything, many companiesand
especially those within the retail industryare
rightly considering whether or not cyber insurance is
a worthwhile investment. A number of key variables
should be considered when researching and
negotiating a cyber liability insurance policy.
Like any burgeoning enterprise, the cyber
liability insurance industry is not without its
challenges. The market is dynamic, with new vendors
entering weekly. Given the fields growth, it lacks the
decades of actuarial data that more mature offerings
such as traditional liability insurance maintain. This
creates a dynamic environment in which premiums
vary greatly between providers, and exclusions
frequently change.
While a cyber insurance policy should not be
used as a catch-all to avoid critical investments in a
security team and technology, it can certainly be used
to offset the large cost of a data breach response and
recovery. One of the benefits of maintaining a policy
includes the use of the insurance companys
resources. These resources can include specialized
lawyers to determine disclosure requirements and
help fight class-action lawsuits; specialized security
personnel to investigate and advise regarding
protections before breaches and perform incident
response after breaches; and credit monitoring
resources to help affected consumers after a breach.
In many cases, the insurance companies have
negotiated rates for specialized incident response and
crisis management services. These discounts alone
can save an organization hundreds of thousands of
dollars.
That said, there are some basics that all retail
organizations should be aware of prior to selecting a
cyber insurance policy. First and foremost, due to the
liability incurred with processing payment card
industry (PCI) data, standard policies for retailers
should cover both first-party expenses and third-party
liability expenses.
Basic first-party coverage items include:
Expenses related to a cyber investigation
Extortion claims due to data theft
Monetary theft and/or fraudulent monetary
transactions
System loss and restoration
The basic third-party coverage items include:
Litigation expenses
Regulatory response costs
Notification costs
Credit monitoring services
Crisis management
Some policies cover business interruption costs
as part of their first-party coverage, but in the wake
9|Data Security Special Report
of recent large scale data breaches, this is becoming
harder to define and, in the event of a breach, to
receive reimbursement.
The caveat, of course, is that insurance providers
are still in the business of making money, and the
likelihood of retailers being targets of a data breach is
high. Given this paradigm, there are actions
organizations should consider to ensure they receive
the highest return on the investment of their
coverage:
Be aware that all breach-related communications
are of interest to the insurer, and ensure that all of
those communications, from the onset of the
incident, are covered under attorney-client
privilege.
Evaluate a variety of providers and compare
policies before making a choice.
Ensure that someone within your organization who
is familiar with cyber breaches reviews the policy
in detail. If necessary, involve your outside counsel
in the negotiation process.
Additionally, retailers should be aware of policy
exclusions and negotiate coverage for some of the
most common. These include ensuring the policy
covers both third-party liabilities as well first-party
expenses that the plan includes coverage for
retroactive breach dates, that the policy has no carve-
outs for foreign enemy or terrorist acts, and that the
policy extends coverage to subsequent lawsuits
stemming from the original breach.
Because networked technology implementations
are a mainstay within retail operations of all sizes,
thieves will continue to find ways to compromise
their security in the interest of monetary gain. The
implementation of cyber liability insurance is one
way to offset risk and ensure you are fiscally
prepared if an incident occurs.
Reaching Beyond Compliance
Building on common ground improves
comprehension and enhances professional
development. One way to
accomplish this is by asking the
expertsthose with
exceptional ability and
expertise to explain concepts,
products, and functions in
terms that can be easily
understood and applied in
everyday situations.
Data security is a critical subject that demands
the attention of every LP practitioner, and bridging
the gap between LP and IT remains essential to our
future success. LP Magazine sat down with Paul
Murray, senior vice president of product management
for Wontok, Inc. to help bring insight into building
these relationships. Wontoks industry expertise is
bringing value-added data security services to
businesses across the U.S., Europe, and APAC.
What are the biggest hurdles that retailers face when
building an effective communications bridge between
LP and IT?
Information exchange and collaboration is the
key. Loss prevention and IT need to form a
partnership with a common language that embraces
the financial as well as the technical, especially
considering how that pertains to data security.
Technology alone wont bridge the gap. Some of the
biggest challenges in business are changes to the
culture, and the fundamental challenge here is
cultural.
We cant allow either of these departments to
operate in a silo. Some changes will require IT and
LP to work more closely together at a compliance
level, which helps build a common language.
Working together and having like goals is a natural
catalyst for creating a more cohesive working
relationship. If the business can implement a smooth
and accommodating change in the way these
departments work together, the results will follow.
How can LP educate or share intelligence with IT to
help keep the business protected?
LP departments typically have excellent
intelligence on the human factors that impact the
business. Contractors, suppliers, and even staff
turnover are all in view of and understood by LP. By
bringing IT into the fold, IT will be better armed with
potential breach vectors beyond those that originate
from the Internet, but are just as dangerous. For
example, if there is a process in place for outside
vendors gaining access to systems for maintenance,
then both LP and IT should be involved in the
process. Not only will this approach help to automate
the process, but the entire organization will be more
alert to any additional data breach vectors that can
then be addressed.
What are some ways that IT can educate or share
intelligence with LP to improve network protection?
This information exchange should start out
simple and avoid becoming overcomplicated. Data
security can be a complex topic, but its critical to
remember that a sound understanding does not
require a deeply technical comprehension. By gaining
clear insight on the basics of sensitive data, how it
moves around the network, and how it is stored, LP
staff will develop awareness in their day to day. Over
time, data will simply become another valuable asset
10 | D a t a S e c u r i t y S p e c i a l R e p o r t
that needs to be protected, similar to merchandise,
profits, and brand.
How will the new and interactive technology being
introduced into the consumer experience influence
the need for LP and IT to work together?
With technology making its way into all industry
sectors, there are great benefits to collaboration
between LP and IT. Take customer Wi-Fi for
example. There are areas of a retail premises that are
clearly off limits to customers, such as offices and
stock areas. But when we offer customers access to
free Wi-Fi while they shop or dine, have we given
this the same degree of thought? If your Wi-Fi is on
the same network segment as your back office
servers, you might as well have customers passing
freely through this area. Collaboration on decisions
like this not only limits mistakes, but increases
awareness and merges responsibility and expertise.
Cooperative efforts should also extend to staff
training. By enhancing sales training to include more
technical information on the equipment being used
and how it can be used against us, we may be more
apt at thwarting criminal incidents that may have
otherwise gone unnoticed.
Why is it so critical for retailers to look beyond
compliance to protect the business?
Simply stated, being compliant is not the same as
being secure. The retailers recently breached were
compliant. We need to go above and beyond these
regulatory recommendations, work together, and take
the necessary steps to be as secure as we can be if we
dont wish to become the next victim.
How Not to Be the Next Target
It started with a simple innocuous temperature
control device from an HVAC vendor. Once inside
the outer perimeter the attackers installed a piece of
malware whose code they probably tested on
virustotal.com to make sure it hadnt been detected
by the 40 or so anti-virus vendors. The malware then
spread to every point of sale terminal, cleverly
collecting credit card information during the
millisecond that it was not encrypted, thus defeating
industry standard network perimeter security, anti-
virus, and encryption technologies in one fell swoop.
When it was all said and done, Target, the
second largest U.S. retailer with over 1,900 stores
and $73 billion in sales, was breached. Hackers stole
40 million cards and information from 70 million
consumers. The breach will likely cost Target
between $400 million to $2 billion in losses from
purchasing identity protections for consumers, paying
for banks to replace credit cards and fending of
litigation.
Looking Ahead
According to Adam Levin of credit.com, its
only going to get worse. The number and scale of
data breaches have been growing at epidemic
proportions over the last five years, and the common
refrain among security experts is, Its not if you are
going to get breached, its when.
How disastrous are these breaches? While large
retailers suffer tremendous financial losses and
tarnish to their brand, most will recover. However,
the threat is even more acute for smaller retailers who
dont have the same IT and security resources or
online retailers with many similar competitors. For
those companies, a data breach could prove fatal, as
consumers switch to competitors and never come
back.
Chip and PIN, PCI Compliance, and Data
Encryption
Starting in October 2015, the payment industry is
supposed to move toward a new payment technology
(commonly known as chip-and-PIN) that is intended
to make the credit card information harder to steal
and also shift liability for fraud to merchants who are
not chip-and-PIN compliant.
Additionally, the payment card industry data
security standard (PCI DSS) has issued a set of
requirements to ensure that merchants process, store,
and transmit encrypted data in a safe environment.
While these measures will help, this wont eliminate
the possibility of data being exposed at the point of
sale, according to Al Pascual, a senior analyst at
Javelin Strategy who has written extensively about
data breaches.
Its worth noting that an earlier version of chip-
and-PIN was hacked, and that most of these breaches
circumvented PCI DSS standards and encryption.
Some of these merchants were certified compliant
when they were actually infected with malware.
Regardless of what solutions are currently being
talked about, one thing is for sureit wont be a
magic bullet, and it wont be enough. Fraud is like a
balloon; you squeeze one end and it will expand
somewhere else.
Five Steps Merchants Need to Take to Protect
Themselves
Secure your perimeter IT network and web-
based applications. Your IT network is like your
house, and you need to secure the windows, doors,
and ventanywhere you think a thief can come in.
Web-based applications are like the mail, cable,
11 | D a t a S e c u r i t y S p e c i a l R e p o r t
electricity, water, gas, package deliveries that help
run your house; anything that needs to come in and
out of the house in order to communicate with the
outside world.
Be prepared. Prepare yourself with data breach
and incidence response training. Just like you have
disaster preparation, conduct data breach preparation
and readiness training by developing processes,
training your people, and practice often. As Mike
Brummer, vice president of Experian Data Breach
Resolution, explains to bankinfosecurity.com,
Organizations really have fewer excuses why they
shouldnt be prepared. Its much more cost effective
to prepare, to pay the price and invest upfront, versus
paying later.
Regardless of what solutions are
currently being talked about, one thing is
for sureit wont be a magic bullet, and
it wont be enough. Fraud is like a
balloon; you squeeze one end and it will
expand somewhere else.
Buy cyber security insurance. This is a growing
field and insurance companies will also help you
focus on what is important and what is financially at
risk. The endeavor will help provide you with the
discipline to discern what needs to be protected.
Monitor your systems 24/7 for suspicious IT
traffic and fraudulent financial traffic. Its not good
enough to do periodic audits. Today, you need
constant 24/7 monitoring so you can detect breaches
faster and take immediate actions to stop and mitigate
the losses. Just as consumers get alerts from their
bank or credit card to verify purchasesoften in real-
timemerchants need to adopt similar technologies
to notify them of potential threats.
Finally, have a security forensics team on speed
dial. Even better, bring the team in before a breach
occurs to understand what they can and cant do for
you and evaluate their skills and expertise before
having to use them.
Every merchant we talk to wants a magic bullet
to prevent data breaches, but the reality is that bullet
doesnt exist. These recommendations prepare you to
be ready, to be proactive, and to respond better. As
Jeff Multz, a security evangelist at Secureworks said,
Security is a journey, not a destination. One that
merchants need to undertake to give them a fighting
chance.
Contributors to this free report include Jacque
Brittain, Wendi Whitmore Rafferty, Paul Murray,
Canh Tran, and the Loss Prevention Foundation.