By Matthew Goche, Sungard Availability Services
Home Depot. Jimmy Johns and Wendy’s. REI. And the list grows practically daily of the familiar retailers falling victim of cybercrime. To many security experts, it’s no longer a question of if you’ll escape a data breach, but when it will erupt. No retail sector is immune to the sophisticated attacks.
Just examine the stats. Between 2005 and September 2014, 4,781 breaches have occurred, exposing more than 640 million records – that’s more than double the American population. The pace has picked up in 2014, climbing 14 percent to 533, reports the Identity Theft Resource Center, which is following one of the worst years on record in terms of high profile retailer breaches.
Advertisement
Retailers are especially appealing to hackers and cyber crooks for several reasons. Many retail locations are managed and run by non-IT people who don’t understand the potential risks of cybercrime and the role each person must play in improving physical and access security. For retailers, a big penetration point for cyber thieves are the check-out registers where customers use credit cards to pay for purchases. Retail websites are another potent avenue for hackers and even third-party vendors can be the entry point to a retailer if they can access its online network.
And the damages go way beyond the financial ones, which themselves can be huge. Just ask Target. A retailer that suffers a data breach can lose customers and damage its reputation and trust – and they’re often the hardest to restore. It all adds up to lost revenue.
Plus, no retail executive is exempt from the repercussions of a cybercrime. A chief marketing officer stands to suffer damage to the retailer’s brand and reputation. A chief financial officer will likely face a financial impact for any number of causes; a chief operating officer can expect operational risks due to outages and downtime; and the general counsel may see legal ramifications from regulators and stakeholders. As for CEOs, they could see the viability of the business – and their job – in jeopardy if the loss is too damaging.
So what can a retailer do to try to prevent or mitigate a data breach? Here are some suggested steps:
- Conduct what is called a “gap analysis” or a compliance examination to identify security needs. This determines variance between current IT environment and a hardened and compliant IT environment, which results in a tactical “get-well” plan to drive improvement.
- Develop an overarching information security program that governs the processes that keep the IT environment secure.
- Focus on prescriptive standards such as Payment Card Industry Data Security Standard (PCI DSS) that are computerized information systems.
- Perform periodic compliance validations to ensure security does not degrade over time.
- Employ Managed Security Service Providers supported by 24/7 security experts to augment current resources.
- Leverage a trusted managed services provider to handle the difficult security operational tasks such as patching, DDOS protection and anti-virus.
Plan, prepare, practice and protect. Let the four Ps serve as a guide to persevere and prevent.
Matthew Goche is Director of Security Consulting at Sungard Availability Services.