It doesn’t take a cyber risk expert to realize that the retail industry is a prime target for hackers, and that some of retail’s most iconic brands have made front-page, breaking news when it comes to millions of lost or stolen data records. Primary Cardholder Information (PCI) is extremely valuable amongst those on the “Darknet,” once described by PC Magazine as “the hidden, anonymous underbelly of the searchable Web.” Since larger retailers handle these records in the hundreds of thousands to millions, hackers are looking for any entry point into their networks to extract credit card and customer account data.
While most retailers are working to gain a competitive advantage through technological innovations that provide customers with convenient methods to browse and buy both in store and online, these efforts are greatly increasing their cyber risk exposures – often faster than they are prepared to deal with.
Something that might be overlooked is that retailers not only need to protect their bottom line and their customers from a cyber attack, they also need to safeguard their brand reputation – which once damaged, could be more devastating than the actual cost of the breach, due to loss of consumer trust. After 110 million records were lost in in the Target breach, the retailer posted their quarterly profits and they were 46 percent below what was expected. In addition, the discount retailer’s stock price was negatively affected and they suffered tremendously in terms of brand reputation and perception – dropping 45 points (-19) on its “Buzz score,” YouGov.com’s polling brand index, which ranges from 100 to -100. We’ve seen a fair amount of large retailers affected by a breach in recent years: Target, Home Depot, P.F. Chang’s and TJX Companies are a few of the more high-profile examples:
Target – 110 million records breached, resulting in a cost to the discount retailer of $252 million plus a drop in sales and stock price;
Home Depot – 56 million credit card accounts hacked, resulting in a cost to the home-improvement/building supply retailer of $232 million in expenses;
P.F. Chang’s – Credit card reissuance cost the restaurant chain $49 million and call center/notification costs were an additional $100 million for its data breach;
TJX Companies – The company that owns T.J. Maxx, Marshalls and HomeGoods had the Personally Identifiable Information (PII) of 45.6 million customers stolen, which cost the off-price retailer of apparel and home furnishings $256 million.
Although these examples call out extremely large retailers, no one is really safe. In actuality, smaller retailers may be at higher risk due to the lack of sophistication of their security systems and protocols.
Here are several key security factors that should be considered to protect retailers from a data breach:
- Retailers need to closely examine how they accept payments. Credit card magstripes are notoriously simple for a hacker to read account data, which has led to EMV chip readers to be implemented in place of the more traditional swipe readers. Mobile payments through Apple Pay and Google Wallet are starting to pick up popularity, since you never have to actually hand your card to a merchant.
- Point-to-point or P2P encryption should be implemented, if possible. P2P encrypts card data at the point of swipe, all the way to the bank or processor for approval/denial of the transaction; payment card data is never exposed and is encrypted before it reaches memory.
- Payment Card Industry-Data Security Standard (PCI-DSS) compliance should also be a major concern for retailers – to both ensure that their security systems are up to par, and also to avoid/lessen regulatory fines and penalties in the event of a breach.
- Retailers should ensure that hardware has up-to-date firmware, is running the latest operating system and is physically secure. Software should be patched with the latest security updates on a regular, consistent schedule. Also, the POS system should be scanned regularly for vulnerabilities.
- Finally, third-party vendor network credentials should be properly managed. Often, these vendors will have access to systems either on the corporate network or the POS network, or they may store login credentials or customer data themselves. If they are vulnerable to an attack, the hackers may be able to utilize information on the third-party system to access the retailer networks. According to the PricewaterhouseCoopers 2015 Global State of Information Security Survey, a 27 percent jump in incidents were attributed to third-party service providers, contractors, suppliers and business partners, which often have trusted access to the company’s network and data.
The above items should be carefully considered in addition to traditional cyber security practices that I’ve cover covered in many of my earlier posts, such as:
- Documentation and testing of an Incident Response Plan and Disaster Recovery Plan;
- User access role permissions should be managed properly and well documented;
- Password policies should be implemented to ensure system passwords are frequently changed;
- Two-factor authentication could be implemented as a second layer of password security;
- Strong policies and procedures will govern security compliance;
- Invest in employee security awareness training;
- Maintain adequate Cyber Liability insurance;
With an average cost-per-breached record at $200 and brand reputation at stake, retailers must work with a trusted risk management advisor to develop a strategic mitigation plan to combat cyber risk and its ever evolving exposures.
Click here to request more information or if you have any questions on managing your retail organization’s Cyber Risk.
