Common Sense + High Tech = Data Security
When preventing the type of data breaches that have recently gotten the names of several major retailers in the news for all the wrong reasons comes up, the discussion focuses almost exclusively on what type of technology should be employed to prevent them. IT is certainly a cornerstone of any retailer’s data security defense, but as explained in a Tech Boot Camp session at Chain Store Age’s 50th annual SPECS conference, a dose of common sense also goes a long way toward preventing unwanted visitors from entering your company’s network.
Bryan Sartin, director of the risk team at Verizon, told SPECS attendees that too often, retailers fail to focus on the real question raised by data breaches: How did malware get into the network, make its way to get the data, and then bring it back out? By applying some common sense to how technology security is applied, retailers can stop malware before the need to answer this question arises.
Cutting Off Cyber Attacks at the Source
According to Sartin, one simple and effective means of limiting the chances of a data breach is to recognize the geographical nature of these attacks. He told the audience that nearly eight in 10 cyber attacks originate in Eastern Europe, with 58% coming from Romania, 12% from Armenia and 8% from Russia.
“You can mitigate the vast majority of attacks by blocking out parts of the world where you don’t do business,” said Sartin. “The technology and knowhow has been around since the mid-1980s.”
Some U.S.-based retailers may do business with Eastern Europe and not be able to automatically block all digital traffic originating from the part of the world, but the larger principle remains valid. Most things in life follow certain patterns and originate in similar ways. Look for any and all patterns of how suspicious cyber activity in your network originates, and use technology to detect those patterns and cut it off at the source.
It Takes Two Factors to Get It Right
Sartin pointed out that allowing third parties remote access to your network is another major entry point for hackers. Desktop sharing programs, as well as virtual private network links that allow outside access to your internal systems, are both common sources of malware and other cyber attacks.
In today’s collaborative business environment, allowing this type of remote access is often necessary. Fortunately, the use of two-factor authentication can help greatly reduce the innate risk associated with giving outside parties access to your network. To use the well-known example of criminals using phony vendor credentials to enter the Target network through a dedicated VPN link, if those credentials had been bolstered with the requirement of a PIN not stored on the vendor PCs, the attack would have never happened.
Mind the Store
When it comes to the popular “skimming” technique of criminals tampering with card readers so the swipe delivers financial data to them, basic store-level surveillance and loss prevention technologies can be highly effective preventative tools. Skimming generally requires the manual altering of the card reading hardware, often with the assistance of dishonest store personnel. Video monitoring, POS-level security systems that can include biometric identification, and even basic alarm technology can all greatly reduce the opportunity for thieves to gain unauthorized access to card readers, whether they come from inside or outside your organization.
Technology cannot stop data breaches by itself, and neither can common sense. Even when combined they will not stop every single attempt to steal your customers’ personal and financial data, but they can stop the vast majority of them.
Starbucks, Downtown Disney, Anaheim, Calif.
The Disney and Starbucks brands provide design inspiration for the coffee giant’s first company-run location on Disney property in the United States. The 5,600-sq.-ft. store, at Downtown Disney in Anaheim, Calif., uses customized content and technology to engage and inform, from a video installation that documents the Starbucks story to an interactive digital chalkboard that customers of all ages can draw and write on.
Built to LEED (Leadership in Energy and Environmental Design) standards, the location also has an expansive outdoor patio designed around a large tree. A living, green wall with more than 1,000 native plants in the shape of a coffee cup serves as a backdrop.
“This store is a reflection of two iconic brands coming together to offer their customers the kind of high quality experience they expect in a way that embodies the unique passion of each,” said Arthur Rubinfeld, chief creative officer and president, global innovation for Starbucks. “Collaborating with Disney offered us the opportunity to create a unique moment of connection for our customers in a way that evokes the magic that their guests expect.”
Design: Starbucks In-House Design Team, Seattle.
Photos: Matthew Glac
Target acknowledges it ignored early signs of breach
New York — Target Corp. acknowledged its security software picked up on suspicious activity after a cyber attack was launched, but it decided not to take immediate action. The chain also advised that its security breach last year could be even more extensive than reported so far, Reuters reported.
“Our investigation of the matter is ongoing and it is possible that we will identify additional information that was accessed or stolen, which could materially worsen the losses and reputational damage we have experienced,” the company said in its 10-K annual report filed with the Securities and Exchange Commission on Friday.
On Thursday, Bloomberg reported Target’s security team in Bangalore, India, received security alerts on Nov. 30 that suggested malicious software had appeared in its network. It then flagged the security team at its home office in Minneapolis.
“Like any large company, each week at Target there are a vast number of technical events that take place and are logged,” said Target spokeswoman Molly Snyder in a statement. “Through our investigation, we learned after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. ”
She added: “With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different.”