By Jerry Soverinsky
As both a veteran writer for the convenience store industry who has interviewed scores of retailers and the father of a five-year-old, I can state emphatically that the issue of protecting your company’s data is eerily similar to coaching youth soccer: There’s a lot of anxiety and wishful thinking that someone will take the lead because no one really knows what the hell they’re doing. (And let’s not kid ourselves: Even reading about it is boring.)
Let’s try this quick demonstration: If you’re like 58% of smartphone users (up from 48% last year), you’ve implemented a PIN or password to protect your personal information from unauthorized access. Surely, that’s a robust measure to secure your banking details, passwords and other sensitive data? Just to make sure, when iPhone users push their home button, it will prompt them for a password. Yep, all is still good.
Now try this: Instead of just pushing the home button, hold it down, activating Siri, iPhone’s voice assistant. Depending on your phone and operating system, you can now perform various tasks with the device—make a phone call, send a Facebook status, text a contact and more—without being prompted to enter a passcode to unlock the screen. That’s the default functionality of the phone, by the way. To eliminate this loophole, you need to navigate to Settings, then Touch ID & Passcode, and under Allow Access When Locked, turn off Siri. Not as secure as you thought, huh?
It’s in that context that we present an overview of the importance of the internal security of your organization— it’s perhaps not as secure as you think. While to date, much of the NACS discussion around data security has focused on credit cards and the personal information of your customers, the need for data security extends much more broadly and covers your proprietary information and employee files.
“For years, we’ve been telling retailers that you’ve got to take all of these protective measures around payments, which is crucially important,” said Gray Taylor, executive director of Conexxus. “But in doing that, we’re losing focus on other data. We may not be protecting it adequately, which is a mistake. All data is valuable unless proven otherwise.”
Taylor ticks off a number of routine back-office data files that present tempting bait for would-be hackers. “You’ve got loyalty programs with customer names, phone numbers and addresses. Those are three identifying elements that are so tempting fora hacker; they enable them to make a ‘synthetic person’ and perpetrate identity fraud.” Not to mention, if the company does not take adequate measures to protect that data, the Federal Trade Commission (FTC) can sanction it. “If you didn’t protect the data and the FTC believes that theft was inevitable, it will take a harsh view of you.”
There’s also pricing and cost files (“competitors would love to have these”), profit and loss reports, and employee records, which typically include a number of pieces of sensitive information, including health records, banking details and Social Security numbers, to name a few. “There’s a ton of data out there that we’re not protecting and we need to take a holistic approach to it," Taylor said.
The stakes are potentially very high. “Start with this scenario,” Taylor suggested. “If 50 employee records are stolen, the following will happen: The state will launch an inquiry, meaning you’ll have to lawyer up. At the same time, you’ll need to stop everything in your IT department while you bring in a forensics company to analyze the breach.”
Those will entail hard costs, but of course, there is also the lost good will with your employees and the associated costs of making them “whole” again— perhaps paying for credit monitoring and engaging experts to resolve financial and legal issues. And depending on your data security efforts, the FTC may assess fines, too. The list of potential liabilities goes on, with much to be clarified only after a loss.
“This is why data security is a difficult subject to address,” explained Matt Beale, partner of security for Capra, a consultancy specializing in payment, retail technology and security. “The reality is that the issue only becomes tangible after a breach.”
Even for those who try to be introspective, the lens is often blurred, Beale said, as retailers tend to feel a false sense of security based on their card protection efforts. “There’s a general view that if you’re PCI compliant, you are therefore security compliant. That’s a risky perspective.”
The reasons are twofold, according to Beale. “First, PCI is proactive—about making sure data doesn’t get stolen,” he said. “But a key gap is that it doesn’t pre- scribe reactive measures. What happens if someone does get in?” And second, “There’s no focus on any- thing other than credit cards. Not online efforts, mobile apps, loyalty programs, or other systems that use personally identifiable information…and that data is potentially more valuable than credit card data.”
Once a retailer commits to addressing their security efforts beyond PCI, there are a number of broad steps that they can take, beginning with the familiar. “As a first step, we must take the best practices that we use with card data and apply them across the enterprise,” Taylor said. That’s not a reference to technology, but to people.
“Everyone in your company should have data security training because the majority of breaches outside of card data are occurring because of human error,” Taylor said. “The human error of giving [office worker Johnny] Internet access and then he clicks on a link in a phishing email and—wouldn’t you know it, a bank account gets breached.”
While training inevitably comes at a cost, there are simple things that you should instruct your employees to do that are impactful and cost nothing. “Make sure employees change their passwords every month,” Taylor said. “You’d be surprised how many people still use Spring2016 or some variation of the season and year as their password. Also, segment your networks so that financial information is restricted to administrators. Those two things alone cover a great deal of risk, and addressing them costs nothing and takes little time to accomplish.”
It’s the little things that make the biggest impression when it comes to deterring cybercrime. “It’s not who you are but what you’re not doing that makes [your picking up full-time people who monitor your data and make sure that it’s secure.” Taylor said the value benefit here is so strong that he defers nearly all IT work—“with the exception of fixing desktops”—to the efforts of third parties. “It should all be outsourced, because it’s not a core competency of any business.”t’s the little things that make the biggest impression when it comes to deterring cybercrime. “It’s not who you are but what you’re not doing that makes [your picking up full-time people who monitor your data and make sure that it’s secure.” Taylor said the value benefit here is so strong that he defers nearly all IT work—“with the exception of fixing desktops”—to the efforts of third parties. “It should all be outsourced, because it’s not a core competency of any business.”
Beale cautions that even with expert third parties securing your data, you still run into a central security issue: people. “When you move to the cloud or a central product to manage all computers, you’ve got a big elephant in the room: the global administrator,” he said. “Someone now has a lot more access to your global environment.” Contrast that to a system whereby all employees have their own laptop. “It’s fragmented; they don’t get central access easily to all of your data.”
Beale recommends that whatever tools you use should have audit capabilities, “so that the administrator can’t mess with things without leaving a digital trail.” He cautions that “some of the best tools on the market don’t have that yet. It’s something of a recognized fault that people are trying to correct.”
In the meantime, he said to make sure the administrator is a trusted stakeholder in your company. “The administrator should be a partner or somebody who has ultimate responsibility for the organization. Don’t just give one of your interns responsibility for making fundamental configurations of your system.” He uses the example of employees who have their own laptops: “One of the easiest precautions you can take is to make sure they are not the administrator of their own computer. It creates vulnerabilities.”
While not all security measures are sufficient to thwart strong hackers, the goal should be deterring them by addressing known threats, according to Oleksak. “Most victims weren’t overpowered by unknowable and unstoppable attacks. We know them well enough and we also know how to stop them.”
Oleksak recommends a top-down commitment to security, an enterprise-wide initiative that should not be relegated to the IT department. “Information technology is a business issue. Executive management must embrace that directive, and it must consider the organization’s people, technologies and processes.”
To accomplish that, Oleksak recommends following a five-step approach that combines equal parts reactive and proactive processes:
- Identify what you have: This includes all components and processes that handle personal information and data.
- Protect what you identify: This includes a number of items, such as security (firewalls, IDS/ IPS), wireless security (SSID, password enhancements), authentication, encryption, antivirus software, patch management routines, network monitoring and testing.
- Detect direct and indirect attacks: Do you have sufficient monitoring in place to detect a cyberattack? Keep in mind that many of the big- gest retailers who suffered cybercrimes were unable to detect an intrusion for many months. You may need to look beyond your IT department for assistance here.
- Respond accordingly: Having an incident response and disaster recovery plan that addresses cybercrimes can help accelerate response and recovery times and thereby minimize the impact of a security breach.
- Recover appropriately: With a well-integrated plan in place, the company can meet disaster recovery and business continuity requirements.
No matter what processes you ultimately select, keep in mind that information security is an ongoing process. “It never ends,” Oleksak said. “It can only be maintained, which comes about through vigilance, training and reassessment.”
It’s a daunting, relentless task, to be sure—but so much easier than coaching youth soccer.
Jerry Soverinsky is a Chicago-based freelance writer. He’s also a NACS Magazine contributing writer.