The massive breach of Target's data security systems in late 2013 surprised many customers who have come to take the safety of electronic transactions for granted. To insiders following consumer data theft, however, it came as less of a revelation. To them, the Target breach merely served as a painful reminder of the relative weakness of data security systems in the American retail industry. As retailers have expanded their operations across a broader variety of platforms, they have too often neglected to establish necessary safeguards on the information transmitted across those platforms. Where customers see greater convenience, sophisticated hackers see new opportunities.
The Target breach, while no doubt extraordinary — the company estimated that 40 million credit and debit card accounts were impacted — was by no means an isolated incident. Nearly half of the retailers who participated in a recent survey by PricewaterhouseCoopers reported breaches of their data security systems over the prior 12 months. While the industry is responding — retail companies will increase spending on data security by 5.7% in 2014, according to IDC Retail Insights — it still lags behind the banking and healthcare industries in security spending, and is failing to keep pace with the proliferation of new threats to consumer data that retailers are charged with safeguarding. By one estimate, data security represents only two percent of the retail industry's total technology budget.
While it is clear that retailers must devote more resources toward combating data security threats, they also will be better served by developing a comprehensive, flexible strategy that will enable them to respond to the ever-evolving data-security landscape. Here’s how retailers — of all shapes and sizes — should structure their approach.
Protect Data Within The Retailer's Control
First and foremost, retailers must ensure the security of consumer data within their own network. They must recognize that that network goes well beyond point-of-sale machines and company servers, extending — this being 2014 — to mobile devices and the cloud. These platforms are just as much a part of a retailer's in-house network as its in-store transmission systems, and thus equally deserving of the attention of data security managers. To date, however, retailers have been slow to accommodate their security systems to the realities of modern technologies — only about half have strategies in place for securing data across mobile devices, social media and the cloud, according to the PricewaterhouseCoopers survey.
Retailers should regularly monitor and test their networks to guard against breaches, ensuring that they detect malware after it has entered the system. There's an apt lesson here from the Target breach, as the company's antivirus tools failed to detect active malware in its point of sale machines even after it discovered the breach.
Retailers should also strive to be more proactive when it comes to monitoring threats, gathering intelligence about looming threats rather than merely fending off attacks as they occur.
Perhaps the most cost-effective solution retailers can implement to limit their exposure to customer data theft is deleting information from their systems when it is no longer needed, rather than storing it in perpetuity. Would-be hackers can't access information that is no longer in the system.
Protect Data At Processing Partners' Facilities
Equally important is ensuring the security of data once it passes to partners' networks. While retailers may be tempted to turn a blind eye to the data-security practices of partner marketing vendors, payment clearinghouses, and credit bureaus, ultimately it is the retailer's responsibility to ensure the security of consumer data (and the retailer that will ultimately take the public blame). Only about one-third of retailers surveyed by PricewaterhouseCoopers responded that they were "very confident" in their partners' data-security systems — not exactly a ringing endorsement. There's not much point in establishing rigorous internal security standards if retailers don't hold their partners to the same lofty standards.
This will require retailers not only to assess the effectiveness of their partners' systems, but also to compare notes and collaborate with partners to ensure the protection of information across the entire data stream. Businesses naturally tend to keep information about internal procedures close to the vest, but our increasingly complex computing environment calls for collaboration and a united front against external security threats.
This goes for competing retailers, as well — the more retailers collaborate to develop strategies and share lessons learned, the better the industry as a whole will get at protecting consumers' data. Getting past the proverbial bunker mentality will help retailers to strengthen their own systems, and companies will reap the benefits of a more secure industry in the form of increased consumer trust.
Protect Data In Transit
Data security is not merely a matter of building higher walls around the fortress. Rather, retailers must craft strategies to fit the fluid way in which consumer information is exchanged today. The near-perpetual flow of data requires protection of consumer data as it moves across open public networks, to partners, even between sections of a retailer's internal network.
A retailer should ensure that all of its network connections are protected behind a firewall, which controls the transmission of data that is allowed between internal networks and external networks, as well as between different areas of the company's internal networks. Breaches often occur across more minor network connections, so firewalls are essential at every point of connection — employee internet access, business-to-business connections, wireless networks, etc. The retailer should insulate the cardholder data environment from other parts of its system, and should use trusted keys and certificates to send data, along with as robust encryption techniques. (The Payment Card Industry's data security standards are a good reference for more detail on this topic.)
The new business opportunities presented by our modern retail environment bring with them heightened responsibilities in managing the data within that environment. There is no question that retailers have some catching-up to do, but a clear, focused data-security strategy can go a long way toward closing the gap.
Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.