The apparel chain filed for bankruptcy in January and closed its e-commerce site and stores.
(Page 3 of 4)
BrickHouse Security takes an even more aggressive approach—regardless of whether that might make for a less convenient experience for consumers. For example, a call center agent can’t access a shopper’s credit card number, even if the shopper just placed an online order the day before because as soon as a shopper types his credit card number into the system, that number goes to its gateway and is tokenized.
“One of Amazon’s greatest strengths is that it doesn’t make customers reenter their information,” Morris says. “But even though it’s convenient for the customer, we don’t want to have the risk involved in having that information.”
BrickHouse Security also has both an outside consultant and its I.T. team monitor its site for suspicious activity. “We want to make sure that our site is constantly watched,” he says.
Most retailers aren’t that aggressive, says Verizon’s Novak, which explains why 99% of POS attacks and 88% of web attacks are discovered by law enforcement or someone else outside the organization. Those numbers show that many retailers either don’t have or don’t pay attention to vendors checking their sites for suspicious activities.
That’s a serious problem.
“Even if a retailer is as secure as it could possibly be, if it doesn’t have a detection program in place, it won’t be able to remedy a situation if an attack does somehow occur,” Novak says.
To be proactive, retailers have to understand their challenges. That means finding a vendor to run a risk assessment on an annual, if not quarterly basis, that examines the systems that touch sensitive data and how they’re defended, says Prescient Solutions’ Irvine.
“You have to know what those applications are and the risk that the business faces if any of those systems is breached,” he says.
The process of examining a merchant’s system shines a light on data security, which, despite the recent breaches, is often overlooked, he says. In fact, only 51% of respondents to a recent Ponemon Institute LLC survey of I.T. executives across 16 countries said that securing or protecting that data is a “high priority” within their company.
Moreover, 79% said that not knowing where sensitive and confidential data resides is a serious security risk facing their companies, and 59% of retail respondents said that not knowing where sensitive data is located “keeps me up at night.”
The problem with many retailers’ processes is that too many employees can access sensitive data, which they may then be able to export out of the company’s network to software hosted by outside companies, such as cloud-based customer relationship management programs, says Julie Lockner, vice president of marketing and business development at data software vendor Informatica Corp. Once that data is outside a retailer’s system, it may not be secure.
“Those decisions are made outside of I.T. and I.T. might not even know about it,” she says. “And once it’s out there, getting it under control is like herding cats.”
A challenge facing retailers is that the old techniques they used to keep data safe often don’t work anymore, Irvine says.
“We used to use firewalls to block everything and didn’t allow anyone to get into our networks,” he says. But when a retailer lets its employees access its system via tablets, smartphones, as well as home computers for those who telecommute, the firewall weakens, Irvine says.
For example, the Department of Homeland Security issued a report in July that warned that hackers are scanning merchants’ systems to find remote desktop applications—developed by companies such as Microsoft Corp., Apple Inc. and Google Inc.—and then using programs to guess employees’ logins to break into their systems. Once inside, they can use a type of malware called Backoff to steal payment card data off POS systems.
Those types of vulnerabilities are one reason why BrickHouse Security banned its employees from using certain types of remote desktop software that it didn’t feel offered enough security precautions and why its I.T. team manages its firewall to track who is accessing its system and from what IP addresses. An I.T. team member can see if an employee who regularly logs in from New York suddenly logs in from France, Morris says. Moreover, employees can only access less sensitive systems remotely; to access more sensitive customer data an employee has to be on site.
“That’s an inconvenience,” Morris says. “But it’s something we have to do.”
The point is to limit BrickHouse Security’s risk. And that’s something every retailer has to do because each employee who has access to a retailer’s systems is a potential weak link, says Arturo Perez-Reyes, cyber, privacy and errors and omissions practice leader at insurance brokerage Hub International Ltd.
Even an honest employee can fall prey to hacking techniques such as spear phishing, which is when a criminal e-mails someone what appears to be a legitimate document, such as a document from a coworker, but, when clicked, leads to a hacking portal that downloads malware onto his computer. That malware can then search for security openings that expose data, such as customer e-mail addresses and payment card account information—or it can install keylogging software designed to capture the recipient’s keystrokes to steal his access credentials.
About 80% of the incidents Experian Consumer Services investigates for clients involve employee negligence, says Michael Bruemmer, vice president of consumer protection at Experian, which provides breach-related consulting and online credit monitoring and protection products. One of the most popular passwords, for example, is Password1, which provides easy access to criminals.
“Employees are responsible for protecting the security of the organization and that means that every employee has to understand what’s at risk,” Bruemmer says.
BrickHouse Security’s Morris says that he uses a mix of training and technology to minimize the risk his employees pose. For example, the retailer requires every employee to use a secure password manager program, like 1Password, that creates unique passwords that are extremely difficult to hack.