You are on page 1of 11

SPECIAL REPORT

Data Security

Data Loss Prevention Practices and


Proven Policies to Combat Data Breaches
A
s technology draws us deeper into a new age of According to the U.S. Department of Labor, the
business enterprise, we are continuously retail trade sector is the nations largest employer,
bombarded with waves of challenges and with approximately 15.3 million jobs as of May
opportunities involving those with malicious 2014. Further studies show that total retail sales in
intentions. These attacks come at us from every the United States topped $4.53 trillion in 2013
direction as the ingenuity of these criminal minds (EMarketer.com), representing 27 percent of nominal
seeks new and creative ways to infiltrate our U.S. gross domestic product, or GDP. While no
information resources and engage in cyber warfare surprise to those leading the industry, these numbers
against our businesses. make it quite apparent that cyber threats can not only
In order to survive these reprehensible impact the retail sector, but can also have a
intrusions, retailers must fight back. We have to substantial influence on the growth and stability of
defend our ground and take the necessary steps to our economy as a whole.
combat the threat. This requires that we build and Chertoff, the former
recruit the resources that will help us win the battles. secretary of the U.S. Department
We must become cyber warriors in our own right, of Homeland Security and now
defending our computer and information systems the executive chairman and
against those seeking to seize and exploit the lifeline cofounder of the global security
of our business. advisory firm the Chertoff
Hackers and like-minded mercenaries wage war Group, feels that cyber security
using information technology to assault our issues have not received the type
computers and information systems through cyber- of front-line attention that some
related strategies. In the retail space, we primarily of the more visible and obvious risks have obtained.
have thieves looking for personally identifiable With some of the more recent incidents that have
information that can be exploited and turned into brought the issue front and center, it is becoming
cash. But there are other groups as well. There are increasingly clear that these types of threats must
groups targeting organizations for their research and become a business priority.
development assets, intellectual property, and Weve seen broad exposure of systemic
corporate strategies. There may also be other vulnerabilities in our company infrastructures,
motivations. Chertoff said. Businesses are collecting more
To win these wars, we must find better ways to personal information about customer preferences,
secure our systems by building awareness, educating locations and behaviors, not to mention credit card
our teams, finding and closing vulnerabilities, and numbers. Organized groups have become very
developing collaborative strategies to protect our sophisticated in their efforts, using strategies that are
resources and defend our customers and our complex and well planned.
companies. Did you ever consider that something as simple
Our greatest opportunity to overcome these as a thermostat could leave your company vulnerable
intrusions is through a comprehensive approach that to a cyber attack? To help keep customers
includes information sharing and best-practice comfortable and shopping at a store, its common for
protocols that support a joint defense team. This is a retailers to routinely monitor temperatures and
shared responsibility that will not only demand energy consumption in stores to save on costs and to
innovative thinking, but joint cooperation throughout alert store managers if temperatures in the stores
an organizationand the industry. To prevail over fluctuate outside of an acceptable range. Often this
this imposing threat to the business, we have to work process is completed with the assistance of an outside
together. service provider with specific expertise to keep the
A team is typically at its best when the offense system efficient and cost effective. Yet this
and defense work well together. LP Magazine intends seemingly mundane, unassuming process opened the
to take this fight to the offensive by providing door for access into a companys database, leading to
information and resources that can be used to support one of the largest, most damaging data breaches in
our efforts and strengthen our sentinel. retail history.
Whether the vulnerabilities are introduced by
The Influence of Retail employee errors or negligence, disgruntled
Retail is the lifeblood of the American employees, partnering companies, or some other
economy, remarked Michael Chertoff at a recent weak link in our systems or procedures, the risks are
National Retail Federation (NRF) LP conference. formidable, the possibilities are only bound by the
Having a safe space to operate is critical to the creativity of the criminal element, and no business is
successful operation of the business. exempt from the threats.

2|Data Security Special Report


Data security is about risk management, not risk communicate the message, educate them on what to
elimination, says Chertoff. There has to be a look for, and help determine the weakest link, we can
strategy for managing the risk built on realistic help our enterprises approach technology issues with
expectations. You have to understand what youre a broader perspective and a sharper focus.
facing so that you can make intelligent decisions. Fuller adds, This is a real problem, and every
There must be a full understanding of the threat, of industry is susceptible. Every industry leader has the
the consequences, and an assessment of the responsibility to be aware and educated so that they
companys weaknesses and vulnerabilities and how can best protect both consumers and the company.
they fit within the business.
The Veiled Bride
Arming Ourselves with Experts How many of us know that couple where one
Many businesses are aggressively pursuing partner just seems to spark so much in the
different avenues to improve cyber strategies and relationship? The person is fun, charming, and
provide training and awareness opportunities for likablehaving that special quality that draws others
company leadership. Industry conferences have taken in. They make friends easily. They can lead a
significant steps to offer quality sessions that provide conversation, or listen with real or assumed interest
information, guidance, and direction on cyber-related even when the subject is so dry and boring that it
issues. Companies are bringing in top experts to would drive other people insane. We find them
consult with their teams, perform vulnerability interesting and attractive in different ways and at
assessments, and educate both staff and company different levels. We quickly trust them and believe
leadership. their sincerity. The other partner may appear cordial
and friendly, more reserved or withdrawn, or even
Industry conferences have taken more negative or hostile. But this one person brings
significant steps to offer quality us together and makes us want to establish a
sessions that provide information, friendship.
guidance, and direction on cyber-related When it comes to data-security issues, the data
issues. Companies are bringing in top breach has that partnerthe one that draws us in and
experts to consult with their teams, seeks out our trust and friendship. In many ways, this
perform vulnerability assessments, and intimate colleague is critical to the success of both
educate both staff and company the marriage and the extended relationships
leadership. attracting new and unsuspecting individuals on a
daily basis. In this partnership, the veiled bride is
There are also various conferences held across social media.
the country that specifically focus on information-
security issues, some intended for industry experts, The Power of Social Media
while others focus on training and education of By using web-based and mobile technologies to
business leaders at different levels and areas of turn communication into interactive dialogue, social
responsibility. Larger events would include the RSA media creates an effective channel for individuals and
conferences, which attract some of the best and groups to connect, interact, create, and share.
brightest in the field through annual conferences in With businesses constantly positioning to make
the United States, Europe, and Asia. Other news, build their brands, improve communications,
conferences may focus on specific or more intimate and grow their customer base, companies are using
audiences to heighten awareness and maximize the email blasts and a plethora of platforms to include
learning experience, such as the Cyber Security Facebook, Twitter, LinkedIn, and YouTube to market
Summit. All of these efforts are intended to improve their products and services. These powerful
our skills, keep our professionals connected, and communication tools can have significant influence
increase awareness of these critical business on awareness, acceptance, and behavior. They play
concerns. an important role in many marketing strategies and
In many ways, we have been short-handed are also a common vehicle used by many of our
when it comes to cyber warriors, states Ken Fuller, employees to network and communicate with one
executive vice president for the Cyber Security another. Unfortunately, these same resources are
Summit. Weve had tremendous success bridging opening doors to many of our data-security issues.
the gap by bringing in experts and educating
leadership regarding whats going on and how we Finding the Weakest Link
can better defend ourselves. By identifying and When cybercriminals are looking for ways to
securing thought leaders who can successfully breach our systems, the starting point to penetrate our

3|Data Security Special Report


information typically has nothing to do with the use combat these threats. This involves a comprehensive
of credit cards, even when thats the information that approach that would include the following:
theyre attempting to obtain, says James Foster, A knowledgeable and educated team that
founder and CEO of ZeroFOX in a conversation with communicates well and works together.
LP Magazine. But they have to get in somewhere. A diverse team that can provide different
So what is the best way in? Attackers will look for perspectives and offer comprehensive value.
the weakest link and a way in that exploits or Expert external opinions that provide guidance and
manipulates the system at a point of vulnerability. will objectively review the plan.
Theyll often use tools that have mass adoption An adequate budget.
even if it fails a thousand times, the one time it does Privacy and compliance policies.
work gets them in. They are looking for a more A framework and foundation for governance.
covert way to get into the systemone where they As retailers expand their offerings and push
can feed on the users trust and delay detection. online services, internal and external policies, roles
When you put it together, the easiest venue to and synergies must be reevaluated, and a
leverage is social media. collaborative security strategy that includes loss
In our push to get ahead in the highly prevention absolutely must be part of the
competitive world of business, Foster commented conversation, Foster states. The success of the
that information technologies must reap immediate organization simply depends on it.
benefits. As a result the technology can be
significantly ahead of the controls. Security
measures can lag behind three to five years, he
added. A companys number-one asset is its people.
This is a common thread, and a prime opportunity for
access. Ninety percent or more of the malware is
getting in through social media.
Foster went on to describe a simple scenario as
an example. If a hacker wants to break into XYZ
Company, they may create an online persona that
mirrors the brands logo, verbiage, and marketing
style. They build the false content using one of many
social media platforms, along with a link that says
XYZ Company Rocks. If an employee were to
open the link, it can then open the door for the hacker
to breach the company.
While it may sound like a simple strategy,
hackers have become experts at disguising their
intensionsand it may only take one unsuspecting
employee to be successful. Regrettably, this is only a
single, basic example of a problem with prospects
only limited by the imagination and ingenuity of the
hacker. This is the challenge, and only one of many
issues that we can face.
Building Bridges
Defense in Depth When it comes to dealing with data-security
So, how do we combat these problems? issues in the business world, there are basically two
Unfortunately, existing plans are ninety percent kinds of companiesthose that have discovered that
reactive, which is like patching cracks in a dam with theyve been breached, and those that have been
bubble gum. Foster says. There has to be a plan, a breached and dont know it.
defense-in-depth strategy that proactively addresses While this may be a strong statement, it offers an
data security. In the information world, its about equally powerful message to the retail community.
firewalls, intrusion-detection systems, two-factor Brian White, who leads the global security services
authentication, and encryption. These defenses are business for the Chertoff Group, works with a broad
layered to make them more resilient. But there has to range of clients who are seeking a new strategic
be more. Our defenses must include a plan and a direction to meet their growth objectives. He
partnership that effectively creates a unified team to primarily focuses on cyber security and innovative
technology.

4|Data Security Special Report


The retail industry has become a primary target ascertain roles and responsibilities, and determine
for malicious cyber activity, with both individuals effective and efficient protocols.
and criminal networks trying to steal financial Increased communication and enhanced
information, identity information, and credit card cooperation. This is a shared responsibility, and
information. But issues have the potential of going must flow both ways. There must be shared
even deeper. As demonstrated by recent U.S. perspectives and open channels to build these
indictments against Chinese military officers accused bridges.
of stealing trade secrets from American companies, Additional training. Everyone responsible for
there is even the potential for business strategies, protecting this information must have a strong
processes, products, and other valued information to awareness of the tools and the power of the data,
be targeted by nation states seeking to pirate along with the knowledge and skills to manage the
intellectual property and related business assets. risks.
There are many ways that these breaches can With the depth, magnitude, and global reach of
occur, states White. Thats part of what makes it several recent breaches, as well as the repercussions
such a complex issue. Some methods are fairly for the businesses and their brands, there is clearly
unsophisticated, exploiting peoples natural greater awareness to the point that companies have
inclination to trust others, for example. False emails become much more sensitive to the threat. But this
may be sent to company employees, encouraging the awareness must be coupled with continuing
employee to open a file or download a link that education, proactive controls, and actionable plans.
allows the criminal to back their way into the Every company should start with the proactive
network and ultimately exposes the business to the assumption that their perimeters can and will be
intrusive malwarea process commonly referred to breached, states White. There must be a layered
as spear phishing. Other methods may be much defense that would include the following:
more sophisticated, with the cybercriminals investing Appropriate tagging and classifying of data based
in any number of intricate tools that will allow you to on importance and sensitivity.
hack into the system. Robust policies and procedures that clearly identify
While such threats can never be eliminated security expectations.
entirely, a key aspect of any protection policy is Strong password policies, network controls, and
managing the potential risks. This involves access controls to include third-party controls.
understanding where your vulnerabilities may occur, Maintenance protocols and keeping software up-to-
what the consequences might be, and working date.
together internally as a team to minimize those Appropriate education and awareness to keep our
vulnerabilities. This is where retail must continue to teams current and informed.
build the bridges within our existing infrastructure. A quick and diligent response-and-recovery plan in
Throughout the retail environment, the LP and the event of an intrusion.
IT departments typically have very different roles and Continuing and persistent evaluation and updates
responsibilities. Their functions within the as necessary and appropriate.
organization are carved from distinctive stones, Every organization must evaluate their risks and
dissimilar in origin, structure, balance and purpose. exposures and establish best practices based upon
In many ways, they even speak different languages. their specific business needs. However, that approach
However, there is also common ground and a should not focus solely on compliance. What you
working relationship based upon shared tasks and really have to do is take an active, functional
accountabilities. It is this relationship that must approach to the business, determine the risks, and
continue to evolve. then make informed, intelligent decisions based on
When dealing with data risks in the retail the needs, vulnerabilities, and resources available to
environment, theres increasingly a link back to the the organization.
LP teams. The investigation function is particularly
valuable, and a unified strategy only makes good Perception versus Reality
sense. For our security functions to be most effective, Recent attacks on retailers, including Target,
our professionals must be a collective enterprise, Neiman Marcus, Michaels, P.F. Changs, and others,
says White. This requires a comprehensive approach have focused the attention of the entire retail
as described here: community on these cyber-incidents over recent
Recognizing our vulnerabilities to mitigate the months, and all have an important connection in
risks. This may also include consulting with cyber security expert and noted blogger Brian Krebs.
specialized professionals to establish controls, A journalist and investigative reporter who broke the
news on these and several other prominent breaches,

5|Data Security Special Report


Krebs is best known for his risks. There are many internal and external security
coverage of profit-seeking threats that put a companys data and data systems at
cybercriminals. However, risk on a daily basis. As a result, the need to develop
beyond his experience, it is his internal information security programs as part of
sharp instincts and insightful general operations has become paramount in order to
approach that help him stand implement protections against these threats.
apart. Recently he gave a Information security can carry different
presentation at the 2014 NRF meanings for different people, and depending on your
loss prevention conference and shared some thoughts position in the company and specific area of
that should make all of us take notice. responsibility, definitions and objectives can vary
When it comes to protecting our critical substantially. However, a common thread existsthe
information, Krebs stressed the concept of perception ultimate goal is still to protect the security,
versus realityhow secure you actually are versus confidentiality, integrity, quality and availability of a
how secure that you think you are. companys information assets. The need for an
Most companies think that the automated tools information security policy is the foundation of any
that they have do a pretty good job at protecting them information security program. This policy will be
from these attacks, he says. But where they really comprised of a set of rules that govern the acceptable
need to focus more of their security budgets is on the use of technical resources, security practices, and
people to help them interpret all of the stuff thats operational procedures within the company and the
being put out, and how to respond to it. Too many supporting technological environment.
organizations spend way too much emphasis on the There are many components that make up a
tools, and not enough on the people. strong security policy, but the most critical are that:
Reflecting on several of the incidents that have 1. Corporate management supports the policy and
garnered his energy and attention, Krebs feels that 2. The policy aligns information security with the
companies typically have all of the information that core objectives of the business.
they need to figure out that theyve had a breach, but There must be unwavering support by the leaders
no one is looking at and interpreting that information. at the highest level of the organization in order for a
He emphasized the importance of communication, policy to weave itself into the day-to-day operations
teamwork, and talent. He then proposed the following of the business, and this will only happen if the
model to guide those efforts: policy reflects our core business objectives. That
Identify and protect your soft spotsDetermine policy must be drafted with the primary motive to
what information that you feel is vital to protect. support the business, while providing adequate
Know your enemyFigure out who youre likely to standards and controls that safeguard the business
be targeted by and what information they want. and our customers at the same time. Some common
Invest in talentToo many organizations rely on subject areas typically found in an information
automation for security rather than talent. Get security policy could include, but are not limited to:
smarter about how you spend your security dollars. Employee/management roles and responsibilities
For example, few companies have a chief Guidelines for acceptable and unacceptable use of
information security officer (CISO). Invest in company resources, including Internet and email
people and leadership. Acceptable use of company software and hardware
Look beyond complianceA primary opportunity Non-compliance issues
lies in a failure to act on information that has Incident management
already been gathered. Remote access and mobile computing
For too many organizations, it takes a major Information classification guidelines
breach to get religion, he says. Do we really need to User ID and password standards and management
experience another incident to find a common creed? Physical security
When describing himself on his blog, Krebs Data archiving, meaning how often each user
reveals, Much of my knowledge about computers should copy information to an archive file, and
and Internet security comes from having cultivated backup requirements
regular and direct access to some of the smartest and A framework and foundation for governance
most clueful geeks on the planet. Maybe we should Each subject will highlight employee
all take his lead. expectations and will typically include the dos and
donts of information security. Such policies will
The Need for a Data Security Policy also set a minimum standard for what controls are to
While technology has helped to revolutionize the be in place and what practices are required in order to
retail industry, with this revolution have come new maintain computing systems. For example, a mobile

6|Data Security Special Report


computing policy might state, Antivirus software haveknow what information that you have access
must be installed on all company workstations and to in your files and on your computer.
servers used for revenue generating purposes. Policy Second, maintain access only to the information
statements can also be used to define acceptable and that you need. Limit exposures by managing
unacceptable behaviors. For example, Employees accessibility (for example, store sensitive information
are not permitted to use company systems to on a company server or other secure location and not
download or email objectionable content, such as on your laptop), and properly secure or dispose of
jokes, chain letters, pornographic materials or other what you no longer need.
specific file types that are more susceptible to viruses Next, keep information in your care locked down
and malicious programs. The need for an and protected by controlling access to the front
information security policy essentially helps a door; monitoring and restricting access to your
company limit its risk and propagates positive equipment.
behaviors which contribute to a safer, more secure Finally, plan ahead. Have a plan to respond to
computing environment for employees to work and security incidents in the event that they do occur.
conduct their daily business. Knowing how to react and respond will help to
It is important to set some time aside and limit our exposures and minimize potential risks
familiarize yourself with your companys information and damage.
security policy. While these policies are becoming Other security tips that we should follow on a
more common place, practices and policies as well as daily basis might include but are not limited to:
the method of delivery may vary from company to Keep operating systems updated as necessary and
company. You may believe that you are following appropriate. The newest version of any operating
information security best practices in your daily system is generally the safest. Protect systems by
activities. However, you may also be surprised to downloading the latest security updates to limit
learn that there are some important security policy vulnerabilities.
responsibilities that you may not have been familiar Backup your important data on a regular basis,
with. and store it in a separate location to minimize risks
of data being lost. Any data that hasnt been
Good Practices in Daily Activities backed up is at risk. Audit data storage by
Protecting the data that we work with every day conducting trial restores from time to time to
requires persistent awareness. As loss prevention ensure that the data is actually being backed up.
professionals, we are exposed to a vast array of Install firewalls on computer systems. A firewall is
sensitive information every single day. In addition to a combination of software and/or hardware that
investigative data and other case-sensitive provides a protective barrier between a computer or
information, we often have access to financial data, computer network and the public Internet. It
confidential records, personnel files, sensitive essentially protects your online gateway and blocks
statistical data, contracts, research information and a unauthorized access to your computer or computer
host of other vital company assets. Every piece of network.
data that we access must be perceived as important Use antivirus software on computers. A computer
and considered a valuable asset, and we must always virus is a program designed to copy itself into other
remain concerned about the safety and integrity of programs stored in a computer, infecting and
that data. potentially damaging the files that receive it. Some
The corporate world has been hit by a wave of viruses are mild, while others are very destructive
security issues in recent years, exposing severe and can wipe out a computers memory or even
weaknesses in the strategic practices of the business cause more severe damage. Anti-virus software
community to deal with the protection of information continuously scans your computer looking for
assets. Organizations of all sizes can fall victim to viruses, and also checks incoming email and
what amounts to poor security planning, improperly websites for potential threats. Updates must be
handling data and exposing their entire company performed regularly in order to stay current and
assets to potential breaches. Each of us ultimately effective.
represents a link in the security chain, carrying a Use spyware protection on computers. Spyware is
critical responsibility to maintain the safety and computer software that is covertly used to gather
integrity of this information. Safeguarding sensitive personal information as well as monitor user
data is more than good business, it is a professional activity and surfing habits; but can also have other
responsibility. potentially harmful consequences such as installing
A sound data security plan is built on several additional software, redirecting Web browser
key principles. First of all, take stock in what you activity, accessing websites blindly, changing

7|Data Security Special Report


computer settings, slowing connection speeds and Know how to notify appropriate parties
otherwise damaging or interfering with user immediately in the event that phones, laptops, or
control. Spyware protection must also be updated confidential documents are lost or stolen.
regularly in order to remain effective. Understand the appropriate policies and practices,
Protect passwords! Weak password protocols are a and maintain access to an emergency contact
common security flaw that can increase risks. number.
Change passwords frequently and use a strong Recognize that information security is not just
password that is difficult to guess or decipher. Use about protecting the technologyits also about
a combination of letters, numbers and other protecting physical assets, communications, access
characters. Do not share it with others, and resist controls and every aspect of our information
saving passwords when prompted to. networks. This would include the physical security
Do not open attachments in emails from people or of company premises, proper disposal of
sources that you do not know. Filter out unwanted confidential paper waste, etc. It is also about
spam email using spam filter programs when ensuring that your staff is adequately trained so
possible. Dont click on anything in a spam email, that they know what is expected of them as well.
even to unsubscribe. If possible, dont even open it. It is important to remember that good security
Take precautions when sending sensitive or practices do not stop when you leave the office every
proprietary information via email. Password day; you also take them with you when you travel or
protect documents when necessary. work remotely. In loss prevention, you have exposure
Only allow staff access to the information that they to different personnel at varying levels in the
need to do their job. For example, as employees organization. Being an advocate for strong security
move within an organization, access privileges can practices and cascading best practices to those around
follow and quickly mount. Ensuring that you helps increase awareness and protect
employees only have access to the information information. Individuals need to realize that
appropriate for their current position can be an companies do not solely rely on technology alone to
essential step in avoiding manipulation and/or loss keep a company secure. Information security is really
of data. everyones responsibility.
Do not use shared devices, such as hotel By capitalizing on opportunities to enhance our
computers, for information that should be knowledge and education, we are making an
protected. investment in our own future. To learn more about
When possible, encrypt any personal information developing your leadership skills and the certification
held electronically if it might cause damage or process, visit losspreventionfoundation.org.
threat if it is lost or stolen. Encryption is the
changing of data into code, a procedure that
renders the content of a message or file unreadable
to anyone not authorized to read it.
Audit data storage for security policy enforcement,
access control, and proper destruction of
appropriate content on a regular basis. Delete
information that is no longer necessary, and disable
functionality that you dont need. Do not dispose of
old computers until all pertinent information has
been securely removed by authorized technology
or by destroying the hard disk. Ensure that
computers and other equipment are appropriately
cleansed of information, software, etc., before they
are allocated to another employee.
Always lock your computer when you are away
from it. Log off and shut down your computer prior
to leaving for the day.
Develop and implement appropriate security
protocols regarding the use of removable storage
devices, such as external hard drives and flash
drives. Such devices can hold significant amounts
of information, and should be carefully monitored
and tightly controlled.

8|Data Security Special Report


Cyber Insurance in a New Age of Liability of recent large scale data breaches, this is becoming
In the wake of the Target data breach and the age harder to define and, in the event of a breach, to
of cyber-everything, many companiesand receive reimbursement.
especially those within the retail industryare The caveat, of course, is that insurance providers
rightly considering whether or not cyber insurance is are still in the business of making money, and the
a worthwhile investment. A number of key variables likelihood of retailers being targets of a data breach is
should be considered when researching and high. Given this paradigm, there are actions
negotiating a cyber liability insurance policy. organizations should consider to ensure they receive
Like any burgeoning enterprise, the cyber the highest return on the investment of their
liability insurance industry is not without its coverage:
challenges. The market is dynamic, with new vendors Be aware that all breach-related communications
entering weekly. Given the fields growth, it lacks the are of interest to the insurer, and ensure that all of
decades of actuarial data that more mature offerings those communications, from the onset of the
such as traditional liability insurance maintain. This incident, are covered under attorney-client
creates a dynamic environment in which premiums privilege.
vary greatly between providers, and exclusions Evaluate a variety of providers and compare
frequently change. policies before making a choice.
While a cyber insurance policy should not be Ensure that someone within your organization who
used as a catch-all to avoid critical investments in a is familiar with cyber breaches reviews the policy
security team and technology, it can certainly be used in detail. If necessary, involve your outside counsel
to offset the large cost of a data breach response and in the negotiation process.
recovery. One of the benefits of maintaining a policy Additionally, retailers should be aware of policy
includes the use of the insurance companys exclusions and negotiate coverage for some of the
resources. These resources can include specialized most common. These include ensuring the policy
lawyers to determine disclosure requirements and covers both third-party liabilities as well first-party
help fight class-action lawsuits; specialized security expenses that the plan includes coverage for
personnel to investigate and advise regarding retroactive breach dates, that the policy has no carve-
protections before breaches and perform incident outs for foreign enemy or terrorist acts, and that the
response after breaches; and credit monitoring policy extends coverage to subsequent lawsuits
resources to help affected consumers after a breach. stemming from the original breach.
In many cases, the insurance companies have Because networked technology implementations
negotiated rates for specialized incident response and are a mainstay within retail operations of all sizes,
crisis management services. These discounts alone thieves will continue to find ways to compromise
can save an organization hundreds of thousands of their security in the interest of monetary gain. The
dollars. implementation of cyber liability insurance is one
That said, there are some basics that all retail way to offset risk and ensure you are fiscally
organizations should be aware of prior to selecting a prepared if an incident occurs.
cyber insurance policy. First and foremost, due to the
liability incurred with processing payment card Reaching Beyond Compliance
industry (PCI) data, standard policies for retailers Building on common ground improves
should cover both first-party expenses and third-party comprehension and enhances professional
liability expenses. development. One way to
Basic first-party coverage items include: accomplish this is by asking the
Expenses related to a cyber investigation expertsthose with
Extortion claims due to data theft exceptional ability and
Monetary theft and/or fraudulent monetary expertise to explain concepts,
transactions products, and functions in
System loss and restoration terms that can be easily
The basic third-party coverage items include: understood and applied in
Litigation expenses everyday situations.
Regulatory response costs Data security is a critical subject that demands
Notification costs the attention of every LP practitioner, and bridging
Credit monitoring services the gap between LP and IT remains essential to our
Crisis management future success. LP Magazine sat down with Paul
Some policies cover business interruption costs Murray, senior vice president of product management
as part of their first-party coverage, but in the wake for Wontok, Inc. to help bring insight into building

9|Data Security Special Report


these relationships. Wontoks industry expertise is that needs to be protected, similar to merchandise,
bringing value-added data security services to profits, and brand.
businesses across the U.S., Europe, and APAC.
How will the new and interactive technology being
What are the biggest hurdles that retailers face when introduced into the consumer experience influence
building an effective communications bridge between the need for LP and IT to work together?
LP and IT? With technology making its way into all industry
Information exchange and collaboration is the sectors, there are great benefits to collaboration
key. Loss prevention and IT need to form a between LP and IT. Take customer Wi-Fi for
partnership with a common language that embraces example. There are areas of a retail premises that are
the financial as well as the technical, especially clearly off limits to customers, such as offices and
considering how that pertains to data security. stock areas. But when we offer customers access to
Technology alone wont bridge the gap. Some of the free Wi-Fi while they shop or dine, have we given
biggest challenges in business are changes to the this the same degree of thought? If your Wi-Fi is on
culture, and the fundamental challenge here is the same network segment as your back office
cultural. servers, you might as well have customers passing
We cant allow either of these departments to freely through this area. Collaboration on decisions
operate in a silo. Some changes will require IT and like this not only limits mistakes, but increases
LP to work more closely together at a compliance awareness and merges responsibility and expertise.
level, which helps build a common language. Cooperative efforts should also extend to staff
Working together and having like goals is a natural training. By enhancing sales training to include more
catalyst for creating a more cohesive working technical information on the equipment being used
relationship. If the business can implement a smooth and how it can be used against us, we may be more
and accommodating change in the way these apt at thwarting criminal incidents that may have
departments work together, the results will follow. otherwise gone unnoticed.

How can LP educate or share intelligence with IT to Why is it so critical for retailers to look beyond
help keep the business protected? compliance to protect the business?
LP departments typically have excellent Simply stated, being compliant is not the same as
intelligence on the human factors that impact the being secure. The retailers recently breached were
business. Contractors, suppliers, and even staff compliant. We need to go above and beyond these
turnover are all in view of and understood by LP. By regulatory recommendations, work together, and take
bringing IT into the fold, IT will be better armed with the necessary steps to be as secure as we can be if we
potential breach vectors beyond those that originate dont wish to become the next victim.
from the Internet, but are just as dangerous. For
example, if there is a process in place for outside How Not to Be the Next Target
vendors gaining access to systems for maintenance, It started with a simple innocuous temperature
then both LP and IT should be involved in the control device from an HVAC vendor. Once inside
process. Not only will this approach help to automate the outer perimeter the attackers installed a piece of
the process, but the entire organization will be more malware whose code they probably tested on
alert to any additional data breach vectors that can virustotal.com to make sure it hadnt been detected
then be addressed. by the 40 or so anti-virus vendors. The malware then
spread to every point of sale terminal, cleverly
What are some ways that IT can educate or share collecting credit card information during the
intelligence with LP to improve network protection? millisecond that it was not encrypted, thus defeating
This information exchange should start out industry standard network perimeter security, anti-
simple and avoid becoming overcomplicated. Data virus, and encryption technologies in one fell swoop.
security can be a complex topic, but its critical to When it was all said and done, Target, the
remember that a sound understanding does not second largest U.S. retailer with over 1,900 stores
require a deeply technical comprehension. By gaining and $73 billion in sales, was breached. Hackers stole
clear insight on the basics of sensitive data, how it 40 million cards and information from 70 million
moves around the network, and how it is stored, LP consumers. The breach will likely cost Target
staff will develop awareness in their day to day. Over between $400 million to $2 billion in losses from
time, data will simply become another valuable asset purchasing identity protections for consumers, paying

10 | D a t a S e c u r i t y S p e c i a l R e p o r t
for banks to replace credit cards and fending of electricity, water, gas, package deliveries that help
litigation. run your house; anything that needs to come in and
out of the house in order to communicate with the
Looking Ahead outside world.
According to Adam Levin of credit.com, its Be prepared. Prepare yourself with data breach
only going to get worse. The number and scale of and incidence response training. Just like you have
data breaches have been growing at epidemic disaster preparation, conduct data breach preparation
proportions over the last five years, and the common and readiness training by developing processes,
refrain among security experts is, Its not if you are training your people, and practice often. As Mike
going to get breached, its when. Brummer, vice president of Experian Data Breach
How disastrous are these breaches? While large Resolution, explains to bankinfosecurity.com,
retailers suffer tremendous financial losses and Organizations really have fewer excuses why they
tarnish to their brand, most will recover. However, shouldnt be prepared. Its much more cost effective
the threat is even more acute for smaller retailers who to prepare, to pay the price and invest upfront, versus
dont have the same IT and security resources or paying later.
online retailers with many similar competitors. For
those companies, a data breach could prove fatal, as Regardless of what solutions are
consumers switch to competitors and never come currently being talked about, one thing is
back. for sureit wont be a magic bullet, and
it wont be enough. Fraud is like a
Chip and PIN, PCI Compliance, and Data balloon; you squeeze one end and it will
Encryption expand somewhere else.
Starting in October 2015, the payment industry is
supposed to move toward a new payment technology Buy cyber security insurance. This is a growing
(commonly known as chip-and-PIN) that is intended field and insurance companies will also help you
to make the credit card information harder to steal focus on what is important and what is financially at
and also shift liability for fraud to merchants who are risk. The endeavor will help provide you with the
not chip-and-PIN compliant. discipline to discern what needs to be protected.
Additionally, the payment card industry data Monitor your systems 24/7 for suspicious IT
security standard (PCI DSS) has issued a set of traffic and fraudulent financial traffic. Its not good
requirements to ensure that merchants process, store, enough to do periodic audits. Today, you need
and transmit encrypted data in a safe environment. constant 24/7 monitoring so you can detect breaches
While these measures will help, this wont eliminate faster and take immediate actions to stop and mitigate
the possibility of data being exposed at the point of the losses. Just as consumers get alerts from their
sale, according to Al Pascual, a senior analyst at bank or credit card to verify purchasesoften in real-
Javelin Strategy who has written extensively about timemerchants need to adopt similar technologies
data breaches. to notify them of potential threats.
Its worth noting that an earlier version of chip- Finally, have a security forensics team on speed
and-PIN was hacked, and that most of these breaches dial. Even better, bring the team in before a breach
circumvented PCI DSS standards and encryption. occurs to understand what they can and cant do for
Some of these merchants were certified compliant you and evaluate their skills and expertise before
when they were actually infected with malware. having to use them.
Regardless of what solutions are currently being Every merchant we talk to wants a magic bullet
talked about, one thing is for sureit wont be a to prevent data breaches, but the reality is that bullet
magic bullet, and it wont be enough. Fraud is like a doesnt exist. These recommendations prepare you to
balloon; you squeeze one end and it will expand be ready, to be proactive, and to respond better. As
somewhere else. Jeff Multz, a security evangelist at Secureworks said,
Security is a journey, not a destination. One that
Five Steps Merchants Need to Take to Protect merchants need to undertake to give them a fighting
Themselves chance.
Secure your perimeter IT network and web-
based applications. Your IT network is like your
house, and you need to secure the windows, doors, Contributors to this free report include Jacque
and ventanywhere you think a thief can come in. Brittain, Wendi Whitmore Rafferty, Paul Murray,
Web-based applications are like the mail, cable, Canh Tran, and the Loss Prevention Foundation.

11 | D a t a S e c u r i t y S p e c i a l R e p o r t