Seems like another retailer announces a data breach every day and each is worse than the one before. Target and Home Depot seem like a distant memory since Equifax, Uber and a dozen more in the past few months. We all know standard security is broken, but what can we do about it?
Most retailers already implement best practices like rotating passwords, requiring multi-factor authentication (MFA) and notifying customers of suspicious behavior. While these sound great on paper, they aren’t enough. To actually reduce the threat of a breach, retailers have to do more:
1. Don’t Wait Until You’re Breached
Because more than 80% of consumers reuse passwords, your accounts could be compromised even if your own systems were not breached. Take preventative measures by constantly reviewing public databases of known compromised credentials, like haveibeenpwned.com. If account credentials used by your customers have been compromised, freeze their account right away, initiate a password reset and escalate the details required to activate their account. Standard authentication questions may no longer work if hackers have access to customers’ accounts.
Advertisement
2. Training Can’t Be One And Done
Hackers are constantly trying to discover new ways to penetrate your systems. That means your team needs to work just as hard.
Most of us can barely remember what we had for breakfast, let alone every security best practice. That’s why training is a never-ending process to ensure staff remain vigilant. Schedule training sessions every quarter to keep security top of mind. Overcome short attention spans by keeping sessions short (no more than an hour).
Minimize jargon and focus instead on practical applications your staff will regularly encounter. Share real world examples of incidents like this one in which hackers impersonate fellow employees to gain control of accounts. Just because a caller’s number appears to be from corporate, don’t assume that’s actually the case.
Don’t take training for granted. Conduct random drills throughout the year and publicize results. A little friendly shaming serves as a reminder that we all make mistakes.
3. Do You Know Who Did That?
In the aftermath of an incident, you’ll need to ask engineers “do we have logs?” to find out who did what, when, and where. Logs are machine-generated records of actions taken on a database or server. But not all logs are equal. Some record sessions without the ability to attribute an action to a specific employee. Others do not record specific actions, only indicating that a database was accessed.
Don’t just accept a simple “yes.” If logs are incomplete, inaccessible or insufficiently detailed to identify who did what to compromise a database, you’ll never be able to isolate and contain a breach in time to prevent damage.
Insist that logs are standardized across your entire infrastructure so that you have the forensic evidence necessary to investigate suspicious behavior.
4. Nobody Likes Working With A Grump
Traditionally, security teams solve problems by saying “No, you don’t need access to that” or “if you do, we’re going to make you jump through a thousand hoops.” The end result is an antagonistic culture that encourages engineers to find workarounds. But that means there are security holes your team doesn’t even know about…
Instead, start by changing the security culture. Etsy’s InfoSec team regularly hands out candy to win over engineers. Try picking up bar tabs or offering a bug bounty: reward developers who find flaws with items like T-shirts and gift cards.
The goal is to build trust and personal relationships between teams so that people want to naturally work together.
5. Don’t Forget The Day After
Incident response is something you hope to never need, but when you do, you can’t afford delays. Put a plan in place now so that you’re ready to react in real time.
Create an incident response team with one representative from security, engineering, legal and account management teams. Define the responsibility, reporting structure and communication channels in advance. The chaos of an incident is distracting enough; you don’t want to compound it with any confusion.
Security and engineering representatives will coordinate the investigation to identify affected systems and users; contain and remediate the damage; collect evidence; and identify the root cause.
The legal representative will be responsible for determining liability and identifying which, if any, regulators must be notified. In the United States, there are 49 different jurisdictions with different incident response requirements.
Once the scope of the breach is determined, the account management representative will run point on communication. To avoid any unnecessary delays, templated emails should be prepared in advance for all constituencies: customers, internal stakeholders and vendors.
Today, we must approach data breaches as if they were inevitable. It’s a question of when, not if. While these steps won’t eliminate the risk of a breach, they can help reduce the damage done.
Schuyler Brown is Co-Founder and CMO of strongDM, the authentication layer for all database access. Previously, he oversaw both Corporate and Product Marketing for Nomi. In his spare time, Brown is the host of Founders@Fail and author of Inc.com’s “Failing Forward” column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His own experience with startups began as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He holds a BA and MBA from Columbia University.
Manisha Singh is a Marketing Analyst at strongDM. In 2017 Singh was honored as a recipient of the Priya Haji Fellowship at True Ventures in recognition for her leadership. Previously she served as Managing Director of MakerGirl, a social purpose venture and STEAM initiative that has inspired over 3,000 young girls around the country to be unstoppable forces. She holds a BA from the University of Illinois at Urbana-Champaign.