By Chris Stoneff, Lieberman Software
My experience in cyber security tells me that the retail sector probably represents the most fertile ground for cyber criminals. That's because professional hackers understand that retail has never focused on IT security to the extent seen in other industries (like banks or payment processors) that handle customer payment card data.
Security takes a back seat
The business mentality of most retail organizations is to maximize return on investment by controlling costs, driving down prices, and turning over inventory as quickly as possible. Investing in information security to protect private customer financial information seems like a distant afterthought.
Take, for instance, the recent headline-grabbing data breaches at Target and SuperValu, and now possibly Home Depot. The executives at these businesses likely see Wal-Mart and Kroger, respectively, as their biggest threats to profitability. You can bet that not a single executive lost sleep worrying about Russian hackers until after those monumental data breaches occurred.
A big factor in retailers' complacency has been that no amount of negative publicity seems to stop people from buying the retailers' goods for very long. And any blip on the organizations' stock market valuations is only momentary. The retail sector relies on humans' short memories, since within a day or two the most prominent data breaches seem to become yesterday’s news. Most retailers have been right to assume that business will continue normally once they've ridden out a little bad publicity and replaced a few thousand loyalty cards. As a result, there's been too little incentive to treat customers' private data with care.
I think that most consumers would be horrified with the state of IT security at many retailers – especially given that these companies handle millions of payment card transaction daily, and collect a startling depth of private data for targeted marketing campaigns. To get an idea of the reams of sensitive customer data inside of retailers' computers, consider that one retailer’s data collection process is so deep and precise, the company inadvertently tipped off the father of a teenage girl about his daughter's pregnancy - before she'd told family members.
The hidden value of customer data
When it comes to protecting customers' private data, the retail industry largely falls back on regulatory standards such as PCI-DSS. And in some cases these companies have been perfectly happy to pay the fines associated with non-compliance, rather than fix the problem.
It’s a puzzling situation. Despite high-profile data breaches where hackers specifically target retailers like SuperValu and Target – there still seems to be a universal disregard of the poor state of security. You would think that senior IT security professionals working in this industry would make it a top priority to deal with the problem. Especially since they are likely to be the first to join the unemployment line after a breach, as we saw when Target’s CIO was asked to resign.
If we were to see a major retailer banned from handling payment card transactions for even a limited time, it would definitely serve as a wakeup call – but you can probably forget about this ever happening. Not until a major retailer takes a debilitating blow to its bottom line, its CEO is publicly named and shamed, and a good, old action lawsuit drains investors' pocketbooks will other retailers wake up and notice.
While retailers might not seem terribly worried about security, as a customer you certainly should be. From a consumer standpoint, the theft of personal data is a significant risk. Whether its credit card information or your behavioural data, your private information could command a high price on the black market. Personal data of all kinds is the lifeblood of criminals who launch spear-phishing attacks. Building a website to look like a retailers’ site and sending out emails offering great deals isn't terribly difficult, and many unsuspecting shoppers could fall for the “great offers” on the fake website. The subsequent theft of a consumer’s personal data is the first step toward accessing their bank account.
How to secure customer data
The threat landscape changes every day, cyber criminals are learning and adapting, and every organization has to accept the fact that – at some point – they will almost certainly be compromised. Overdependence on perimeter security tools like firewalls and antivirus means that once the network perimeter is breached, hackers are more likely to gain easy lateral movement inside the network. And while antivirus and intrusion detection systems can react to known threats, they’re of little use against the zero-day attacks launched by sophisticated criminal gangs.
Fortunately, there are practical steps that retailers can take to strengthen security. First, there needs to be increased dialog between the IT group and corporate management, especially as online shopping becomes a greater part of the revenue stream. Too often IT’s warnings about security risks are ignored – sometimes because of the perceived costs associated with implementing solutions. The fact is, most IT departments fail to effectively communicate to executive management the real potential outcomes of lapse security – nor do they provide enough security awareness training to those who control the purse strings.
There also needs to be a broadening of the scope of regulatory compliance standards – both in the US and Europe – to cover all personal data, not just information related to bank and credit card transactions. It would also help if these regulatory mandates had teeth. The ineffectiveness of regulations such as PCI-DSS is demonstrated when retailers implement just enough security to “satisfy the auditors”, but never anything more.
Finally, retailers can save themselves – and the rest of us – a lot of grief if they'd simply focus on security fundamentals. If we’re to assume that targeted attacks against retailers eventually succeed, and at least some level of intrusion will occur, what happens next? How far into the network can the criminals reach, and how long can they remain there? Retailers must ask - if conventional perimeter security products can’t stop advanced cyber attacks, which security solutions can restrict the lateral motion of intruders who do manage to penetrate the network? More importantly, what happens when this unrestricted and anonymous access isn’t prevented, or even detected?
Let’s take the notorious Target data breach as an example. That incident will probably end up costing Target several hundred million dollars. It’s amazing to think that for a fraction of that cost – the price of enterprise-level privilege management software – the problem of uncontrolled privileged access to their systems might well have been averted.
Chris Stoneff is director of professional services at Lieberman Software, which provides privilege management and security management products. By automatically locating, securing and continuously auditing privileged identities, both on-premises and in the cloud, Lieberman Software helps protect access to systems with sensitive data. He can be reached at firstname.lastname@example.org.