They say there is nothing new under the sun, and with respect to data breach incidents, the saying is mostly true. In fact, the most successful data breach methods from last year are still among the key methods being used this year. But there are several steps retailers can take to avoid data breaches, or at the very least mitigate their impact.
Retail TouchPoints spoke to Chris Novak, Director of Investigative Response, Verizon Enterprise Solutions and author of the Verizon Data Breach Study, who revealed that a retailer’s greatest asset is its employees. In fact, the simple act of communication with, and among, store associates about the appropriate response to a data breach can be what separates a retailer from the potential loss of millions of dollars — not to mention long-term damage to the company’s reputation. It’s also vital to close security gaps quickly once they are discovered, given that 90% of vulnerabilities exploited by criminals are at least one year old.
Verizon’s ninth annual Data Breach Investigations Report (DBIR) provides an in-depth look at the cybersecurity landscape, drawn from more than 100,000 security incidents worldwide in 2015, with key findings that include:
Advertisement
- 97% of breaches featuring stolen credentials leveraged legitimate partner access;
- 90% of vulnerabilities that are exploited are over one year old;
- 70% of payment card skimming incidents can be blamed on criminal organizations; and
- 63% of confirmed data breaches involved weak, default or stolen passwords.
Hackers Moving Faster
Financial firms were hit with the most data breaches last year, with some 795 breaches, followed by the accommodation/hotel sector (282), information sector (194), public sector (193), retail (137), and health care (115).
One disturbing trend is that attackers are getting faster in their hacks, but victims are still slow to detect that they’ve been hit. According to the DBIR, most attackers (82%) compromised victims within minutes. Approximately 67% stole data within days, while 21% did so within minutes.
Web application attacks increased 33% in 2015 compared to 2014, and in 95% of these breaches, it was all in the name of financial gain. Web attacks rose this year to 82% — from 31% last year — against financial services firms, which, along with information and retail industries, were hit the most by these types of attacks
Finally, a bit of good news: There was no sign of mobile devices becoming the next big attack vector amid the security incidents and data breaches analyzed in the report. In last year’s DBIR, the report’s authors concluded that mobile devices were a non-factor in 2014 real-world attacks. Only about 100 smartphones per week out of tens of millions of devices are getting infected, for a 0.68% infection rate, and mostly with adware or other relatively benign forms of malware.
5 Steps To Mitigate Data Breach Risks
So what can retailers do to thwart a data breach? Simple though often overlooked solutions are key. Overall, Novak says retailers must understand and utilize these five principles:
1. Be prepared to respond: It’s no secret retailers need an effective security system in place. “Every retailer focuses on prevention,” Novak said. However, “since there is no way to realize 100% prevention, you must be able to respond to the detection of a data breach and have an appropriate response to it. Companies are often hurt worse by a lack of adequate response to a data breach than the breach itself.”
2. People have the power: Yes, IT and security departments have a lot of cool devices guaranteed to analyze every bit of granular data, and cameras to watch the goings-on in the store. But they are not as effective as your store associates. That’s right; associates are on the front line and are more able to catch and act on suspicious activities than a camera. So why don’t employees contact management about breaches?
“The number-one response is that people assume IT saw it,” says Novak, who recommends that retailers “make people your first line of defense.”
3. Keep your POS applications up to date: With POS attacks, it’s all about phishing and installing malware or a keylogger to capture credentials.“Out of date applications are subject to a variety of exploits,” Novak said. “Remember, threat actors have your script. For old applications, the map to theft has been drawn, and it is shared by criminals time and again until the way in is closed off. That’s when they look for the next opening.”
4. Data retention and prompt patching: Yes, you need to keep customer information on file. But you need to make sure that if there is a breach somewhere in the company, it is patched up. “The large majority of breaches, almost 90%, were accomplished by exploiting old vulnerabilities that were at least a year old,” Novak said. “This means that any method in which an attack was successful was not patched properly, if at all, and continued to be a point of entry. Some vulnerabilities are between five to seven years old.”
5. Two-factor authentication is key: “This reduces attacks dramatically and is very underutilized,” Novak said. Static single authentication is a weakness that is used incredibly effectively by attackers. If possible, improve this with a second factor, such as a hardware token or mobile app, and monitor login activity with an eye out for unusual patterns.
In addition:
• Have a conversation with your vendors and ensure that they are using strong authentication to access your POS environment;
• Find out what monitoring options are available for your POS environment, and validate their implementation;
• Track remote logins and verify any and all that are against the norm;
• Separate the POS environment from the corporate LAN, and ensure that it is not visible to the entire Internet; and
• Keep up to date with PCI compliance.
Prepare To Prevent, But Be Proactive In Case Of A Breach
“People are victimized in different ways but there are commonalities to each incident,” Novak said. “A retailer must tailor its security to the risks and threats that are potential realities to them. Then, they must have a prioritization of these threats and appropriate responses.”
As simple as that may sound, the planning and execution of an appropriate plan is more difficult than it may seem. Breaches are sophisticated, yet simple. Data breaches will probably never disappear in retail, or any business for that matter, but we can all prepare. Remember, even with 12 locks on a door, a slightly open window is all it takes for a break-in.