Professional Documents
Culture Documents
Data Security
How can LP educate or share intelligence with IT to Why is it so critical for retailers to look beyond
help keep the business protected? compliance to protect the business?
LP departments typically have excellent Simply stated, being compliant is not the same as
intelligence on the human factors that impact the being secure. The retailers recently breached were
business. Contractors, suppliers, and even staff compliant. We need to go above and beyond these
turnover are all in view of and understood by LP. By regulatory recommendations, work together, and take
bringing IT into the fold, IT will be better armed with the necessary steps to be as secure as we can be if we
potential breach vectors beyond those that originate dont wish to become the next victim.
from the Internet, but are just as dangerous. For
example, if there is a process in place for outside How Not to Be the Next Target
vendors gaining access to systems for maintenance, It started with a simple innocuous temperature
then both LP and IT should be involved in the control device from an HVAC vendor. Once inside
process. Not only will this approach help to automate the outer perimeter the attackers installed a piece of
the process, but the entire organization will be more malware whose code they probably tested on
alert to any additional data breach vectors that can virustotal.com to make sure it hadnt been detected
then be addressed. by the 40 or so anti-virus vendors. The malware then
spread to every point of sale terminal, cleverly
What are some ways that IT can educate or share collecting credit card information during the
intelligence with LP to improve network protection? millisecond that it was not encrypted, thus defeating
This information exchange should start out industry standard network perimeter security, anti-
simple and avoid becoming overcomplicated. Data virus, and encryption technologies in one fell swoop.
security can be a complex topic, but its critical to When it was all said and done, Target, the
remember that a sound understanding does not second largest U.S. retailer with over 1,900 stores
require a deeply technical comprehension. By gaining and $73 billion in sales, was breached. Hackers stole
clear insight on the basics of sensitive data, how it 40 million cards and information from 70 million
moves around the network, and how it is stored, LP consumers. The breach will likely cost Target
staff will develop awareness in their day to day. Over between $400 million to $2 billion in losses from
time, data will simply become another valuable asset purchasing identity protections for consumers, paying
10 | D a t a S e c u r i t y S p e c i a l R e p o r t
for banks to replace credit cards and fending of electricity, water, gas, package deliveries that help
litigation. run your house; anything that needs to come in and
out of the house in order to communicate with the
Looking Ahead outside world.
According to Adam Levin of credit.com, its Be prepared. Prepare yourself with data breach
only going to get worse. The number and scale of and incidence response training. Just like you have
data breaches have been growing at epidemic disaster preparation, conduct data breach preparation
proportions over the last five years, and the common and readiness training by developing processes,
refrain among security experts is, Its not if you are training your people, and practice often. As Mike
going to get breached, its when. Brummer, vice president of Experian Data Breach
How disastrous are these breaches? While large Resolution, explains to bankinfosecurity.com,
retailers suffer tremendous financial losses and Organizations really have fewer excuses why they
tarnish to their brand, most will recover. However, shouldnt be prepared. Its much more cost effective
the threat is even more acute for smaller retailers who to prepare, to pay the price and invest upfront, versus
dont have the same IT and security resources or paying later.
online retailers with many similar competitors. For
those companies, a data breach could prove fatal, as Regardless of what solutions are
consumers switch to competitors and never come currently being talked about, one thing is
back. for sureit wont be a magic bullet, and
it wont be enough. Fraud is like a
Chip and PIN, PCI Compliance, and Data balloon; you squeeze one end and it will
Encryption expand somewhere else.
Starting in October 2015, the payment industry is
supposed to move toward a new payment technology Buy cyber security insurance. This is a growing
(commonly known as chip-and-PIN) that is intended field and insurance companies will also help you
to make the credit card information harder to steal focus on what is important and what is financially at
and also shift liability for fraud to merchants who are risk. The endeavor will help provide you with the
not chip-and-PIN compliant. discipline to discern what needs to be protected.
Additionally, the payment card industry data Monitor your systems 24/7 for suspicious IT
security standard (PCI DSS) has issued a set of traffic and fraudulent financial traffic. Its not good
requirements to ensure that merchants process, store, enough to do periodic audits. Today, you need
and transmit encrypted data in a safe environment. constant 24/7 monitoring so you can detect breaches
While these measures will help, this wont eliminate faster and take immediate actions to stop and mitigate
the possibility of data being exposed at the point of the losses. Just as consumers get alerts from their
sale, according to Al Pascual, a senior analyst at bank or credit card to verify purchasesoften in real-
Javelin Strategy who has written extensively about timemerchants need to adopt similar technologies
data breaches. to notify them of potential threats.
Its worth noting that an earlier version of chip- Finally, have a security forensics team on speed
and-PIN was hacked, and that most of these breaches dial. Even better, bring the team in before a breach
circumvented PCI DSS standards and encryption. occurs to understand what they can and cant do for
Some of these merchants were certified compliant you and evaluate their skills and expertise before
when they were actually infected with malware. having to use them.
Regardless of what solutions are currently being Every merchant we talk to wants a magic bullet
talked about, one thing is for sureit wont be a to prevent data breaches, but the reality is that bullet
magic bullet, and it wont be enough. Fraud is like a doesnt exist. These recommendations prepare you to
balloon; you squeeze one end and it will expand be ready, to be proactive, and to respond better. As
somewhere else. Jeff Multz, a security evangelist at Secureworks said,
Security is a journey, not a destination. One that
Five Steps Merchants Need to Take to Protect merchants need to undertake to give them a fighting
Themselves chance.
Secure your perimeter IT network and web-
based applications. Your IT network is like your
house, and you need to secure the windows, doors, Contributors to this free report include Jacque
and ventanywhere you think a thief can come in. Brittain, Wendi Whitmore Rafferty, Paul Murray,
Web-based applications are like the mail, cable, Canh Tran, and the Loss Prevention Foundation.
11 | D a t a S e c u r i t y S p e c i a l R e p o r t