As we mentioned in the last post, over the coming months we’ll be looking at the unique security and compliance challenges for a variety of industries. For the first entry in this series we’re examining the retail sector.
It’s no secret that the retail industry has endured some high-profile information security breaches in recent months. In December 2013, Target was hit with a data breach that resulted in the theft of millions of customers’ credit card data, including payment information, names, phone numbers and email addresses. The incident has had a huge financial impact on the retailer, with Target announcing in August 2014 that its second quarter financial results were expected to include gross expenses of $148 million, partially offset by a $38 million insurance receivable, related to the data breach.
Soon after the Target breach was disclosed, retailer Michaels’ notified customers that systems of Michaels stores in the United States “were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms” that were helping the company investigate the matter. The affected systems contained certain payment card information such as payment card number and expiration dates.
Also in early 2014, Neiman Marcus Group disclosed that it experienced a cyber security attack in which malicious software was clandestinely installed on its system and attempted to collect payment card data from July 2013 to October 2013. An investigation showed that about 350,000 payment cards were potentially affected.
And within the past month, The Home Depot confirmed that it was hit with a breach. The company said the data theft could affect its customers in stores across the United States and Canada. It said there was no evidence that debit personal identification numbers were compromised.
All of this contributes to a pretty scary picture for the industry, and could easily leave consumers wondering when the next big retail security breach will occur, or if they should pay for everything with cash and leave their payment cards at home.
Retail by its nature seems primed for financially motivated attacks, because it involves the transfer of huge amounts of money, either in physical stores or online. With so many people using payment cards of one sort or another, there is a lot of opportunity for theft of personal data that could be used for fraudulent activity.
Aside from the standard security tactics of using robust firewalls, intrusion detection, identity management and access controls, retailers need to ensure that card data is safe throughout the entire purchasing cycle, including when card data is in transit and stored. Oftentimes that means using encryption.
And because some of these attacks involve newly discovered malware, merchandisers also need to stay on top of the latest security threats, and make sure they have anti-malware software that is up to date. With the ongoing concern about advanced persistent threats, retailers can’t afford to be static when it comes to information security.
So concerned is the industry with its security threats that in April 2014 the Retail Industry Leaders Association (RILA), along with several of the most well-known retail brands launched the Retail Cyber Intelligence Sharing Center (R-CISC). Through R-CISC, retailers are sharing cyber threat information among themselves and with public and private stakeholders such as government security entities.
“Retailers place extremely high priority on finding solutions to combat cyber attacks and protect customers,” Sandy Kennedy, president of RILA, said when the center was announced. “In the face of persistent cyber criminals with increasingly sophisticated methods of attack, the R-CISC is a comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cyber crimes.”
In addition to the security challenges, retailers need to comply with industry regulations related to security. One of the most prominent is the Payment Card Industry Data Security Standard (PCI DSS 3.0). This is a proprietary security standard for companies that handle cardholder information for major credit, debit and other payment cards. The standard is designed to boost controls around cardholder data to reduce credit card fraud.
Clearly, this is an industry that can use help with security and compliance from technology solution providers, and that’s where value-added resellers (VARs) and managed services providers (MSPs) come in.
By getting up to speed on all the security issues and threats facing the retail business, and determining which technology solutions can help address those issues, you can provide a valuable service to an industry that’s looking for help.