Masking high-tech cybertheft with low-tech break-ins
In light of the wave of data breaches in 2013 and 2014, a great deal of the focus on cybersecurity for retail enterprises has been based around the ability of hackers to gain access to data by evading firewalls and the use of other high-tech methods. But hackers have found lower-tech ways to fly under retailers’ radar by way of misdirection and even physical store break-ins.
This was one of the takeaways from a presentation given by cybersecurity expert Vince Crisler, partner at Fortalice Solutions, at the FMI Connect trade show. Mr. Crisler discussed the need to refigure cybersecurity policies to better manage risk through organizational knowhow and information sharing between organizations, rather than relying solely on technological solutions. Securing a network’s perimeter to "keep out the bad guys," he indicated, is no longer enough.
"We don’t have this wall around our networks anymore," said Mr. Crisler. "This idea of perimeter security is gone."
In an interview with RetailWire¸ Mr. Crisler further elucidated the potential threats to the cybersecurity of retail enterprises. What may appear to be a routine break-in to a brick-and-mortar outlet could include the theft of servers with the intent of misusing the data, not just reselling the hardware. Further, thieves may quietly install malware on a server or load a keystroke logger onto a system in a manager’s office.
"If you can touch it, you can own it," said Mr. Crisler. "[Retailers] just think of physical stuff, they don’t think about cybercrime."
Beacons and other technologies that collect customer data offer hackers another potential route to that data.
Retailers often find themselves dependent on third parties for implementing omnichannel solutions and that opens them to other risks. Mr. Crisler indicated that security can sometimes take a back seat in innovative IT enterprises that sell solutions to retailers.
This is particularly worrying for retailers given it’s the retailer that generally ends up on the hook for breaches in the eyes of the public.
While, according to Mr. Crisler, consumers are not yet making shopping decisions based entirely on security concerns, businesses are expecting that to change.
"We’re absolutely moving forward with this idea that there’s a direct impact on the financials for cybersecurity breaches," said Crisler in his presentation. "Not just ‘how do we recover?’ but ‘will our customers trust us?’"
Discussion Questions
How can retailers better defend against data breaches that originate with the human error of associates or with the theft of physical products? What is the appropriate balance between maintaining a secure enterprise and using technologically innovative tools?
Poll
BrainTrust
Ralph Jacobson
Global Retail & CPG Sales Strategist, IBM
Camille P. Schuster, PhD.
President, Global Collaborations, Inc.
The tools available today can help mitigate risks regarding human error throughout the enterprise. Store-level and corporate staff need to ensure that safeguards put into place are not circumvented. We see several examples of this in many prominent companies. Is there a balance required for the implementation of technology? Sure. However, the company can never be too safe.
Each organization needs to be actively involved in developing and monitoring security practices. Third-party providers can design perimeter systems or systems based on official processes. What about informal business practices? A third-party provider may not be told about them because the top managers may not even be aware of them. However, those wanting to breach security can learn them and take advantage of loose procedures. Companies need to be aware of all their processes — formal and informal — and what is being done to manage security.
The problem here is that if you’re really good at selling shoes and handbags, your core competence isn’t data security. Retailers should consider outsourcing critical infrastructure to companies that know data security inside and out.
I don’t think most data breaches originate with human error of associates. Retailers should be vigilant of protecting customer and transactional data with redundant network and data security measures. As for physical thefts, leveraging RFID technologies as well as hiring the right staff and motivating them to take ownership (in line with the how retailers can offset paying higher wages discussion today) would be the first line of defense.