December 2013 was a watershed moment for retailers worldwide – and not because of a slump in holiday sales or sweeping changes to customer behaviour. Instead, it was the month that saw a group of unknown Russia-based hackers who used a form of malware to infect Target US’s point-of-sale systems, steal credit and debit card account numbers from 40 million customers and a further 70 million email and mailing addresses to sell on the black market, altering the way retailers address cybercrime in the process.
Twelve months later, incidents of cybercrime have gathered speed and intensity but retailers remain woefully unprepared. According to the 2015 Global State of Information Security Survey (GSISS), a yearly PwC report that takes a critical look at the rate at which retailers around the world are responding to the accelerating cybersecurity challenge, the number of hacks in 2014 increased 19% when compared with 2013 but information security budgets fell an alarming 15%. Here are some of the most important takeaways from GSISS 2015.
Data compromises grow in size and scale
In its 2013 Data Breach Investigations report, Verizon counted 467 retail compromises around the world with payment card data the main target for 95 % of hacks across the retail sector and christened the period “the year of the retailer breach.” But in 2014, breaches that saw 56 million credit card and pin numbers stolen from US chain Home Depot and payroll data pilfered from UK supermarket giant Morrisons suggests that this trend shows no sign of slowing down.
Although nation-states, hacktivists and organised crime rings are the fastest-growing segment of cybercriminal, PwC research found that 34 % of attacks could be traced back to current employees and 30% to those who had worked for the company in the past. It also detected a 27% leap in incidents linked to third-party service providers, contractors and business partners who often enjoy access to a company’s data and network.
Serious holes in data governance
Retailers are often prone to taking a compliance-checklist approach to cybersecurity and focus most of their attention on Payment Card Industry Data Security Standards. Unfortunately, a data governance strategy that’s equipped to tackle real-world cybersecurity challenges calls for policies around the creation, use, storage and deletion of information as well as knowledge about where data is stored, how to manage access to sensitive information and govern permission levels granted to third-party suppliers. When it comes to a robust data governance polices in the retail sector, GSISS identified major flaws. Only 57% of respondents deploy secure-access control measures, 54% maintain an up-to-date inventory detailing how and where customer and employee data is stored and collected and 51% have written a security policy for off-premises storage, access and transport of company information.
A rise in third-party threats
PwC research showed that cyberthieves are increasingly penetrating retailers’ networks and POS systems by following trails left by third-party vendors and contractors. This highlights the need for a tiered vendor-management program that analyses, assesses and manages partners in line with risks to the business.
New technologies, new risks
There’s no denying that technologies and platforms like cloud computing, smartphones, tablets and social media are helping retailers embrace the agile mindset that’s critical to competitive edge. However, this suite of new technology also demands a revised approach to cybersecurity. The PwC survey discovered that 29% of retailers experienced security threats a result of mobile devices – but only 51% have a dedicated mobile security strategy in place. This is further compounded by the jump in BYOD (bring your own device) policies, which – if unmonitored – pose further threats to corporate networks.
A future-forward take on cybercrime
Although retailers seem to be focusing more on some strategic practices, falling security budgets and a trend that saw retailers cut security spending more heavily than consumer companies suggests that there is more work to be done. For retailers, a strong cybersecurity strategy involves aligning information security with business needs, identifying and protecting sensitive assets and ongoing investment in employee security awareness and training programs – anything less won’t cut it.
For more information about cybersecurity and the retail and consumer sector download the 2015 Global State of Information Security Survey.
2 Comments