By Charles Tendell, Azorian Cyber Security
The retail sector has been targeted and damaged by high-profile cyber security incursions, resulting in a loss of customer confidence and a move by retailers to upgrade security measures in the constant battle against criminal hackers. Security threats exist at multiple points in the retail chain, from point-of-sale systems and online purchasing to employee access to sensitive information. It's part of a dizzying trend including research by the Ponemon Institute showing that personal information of nearly half of all Americans has been exposed by hackers in the past year.
There are two strategies when combined will help the retail sector to be more effective in the fight against cyber crime. One strategy goes against the traditional thinking of business leaders — sharing information more actively with competitors. Through industry association leadership and respected luminaries in the retail sector, the industry can move toward an understanding that there's strength in numbers and cooperation. There's no benefit to protecting helpful information and best practices for the sector when the next time around it might be one's own organization that could benefit from the information sharing of others. Retailers are facing a common enemy in criminal hackers and it makes good sense to team-up as an industry.
The second strategy is to become more proactive and aggressive in identifying cyber threats ahead of time, while these threats are still being developed. The retail sector and most industries are lagging behind hackers because hackers are focused on one task and constantly evolving it, while many retailers are still learning the distinction between traditional IT security and what it takes to defeat hackers.
One baseline tool retailers must implement is penetration testing, conducting ongoing self-evaluation of systems, processes and policies in an effort to stay ahead of the curve. However, penetration testing is not enough to identify new threats ahead of time, as active threat intelligence is needed to fill the gaps in penetration testing and implement a truly dynamic and aggressive cyber security protocol. It's often the case that retail hacks are not noticed by companies or customers until weeks or months after the intrusion, creating far more damage.
Active Threat Intelligence
Retailers should monitor the 'deep web' to identify advanced persistent threats before they become implemented by criminal hackers, such as point-of-sale malware, the latest in credit card skimming capabilities and a wide range of Trojan horses. Only by staying ahead of the curve on a constant basis can retailers have a chance to combat these and other nefarious activities. It's similar to having a tornado warning; even a bit of notice can go a long way. Having time to understand each threat and prepare defenses is key to staving off hacking threats.
This type of aggressive cyber security is not typically implemented by a traditional IT department, but by ethical hackers who work and lurk in the same places as criminal hackers, but use their knowledge to protect businesses and consumers instead of damaging them. Ethical hackers monitor and participate in message boards, chat rooms and other online sites, as well as hacking conferences, where the most current information on what's coming next appears before techniques are implemented against businesses and consumers. This is how ethical hackers create the warning time needed to implement defenses.
Proactive, stringent internal policy and clear employee communication are also important factors in cyber security, as employee mistakes and malicious behavior can be highly damaging. These issues can be minimized by proper policies and clear communication about those policies. There's a deterrent aspect when retailers make it clear to employees that cyber security is a priority and the company's actions reflect this priority. Important internal policies include: written agreements of confidentiality and clear descriptions of consequences for willful breaches of agreements; delineation of access to information based on position/need; sound IT structure to manage key issues such as mobile device interface with company systems; and ongoing communication with employees through multiple channels.