One thing you can say about the cyber threat to retail — it is constantly changing. According to a new report by IBM, the threat is getting weaker and stronger at the same time. While the retail/wholesale industry was the top industry target in 2014, the number of breaches during a key two-week holiday period actually dropped by 50+ percent vs. the same period in 2012. Further, the number of daily attacks dropped by nearly one third over the same period.
According to IBM, 61 million records were stolen from retailers during 2014, which is near an all-time high. Cyber attackers are apparently becoming more sophisticated, using new techniques to grab confidential information more efficiently. The general manager of IBM Security Services, Kris Lovejoy, says that the threat from organized cybercrime rings is "the largest security challenge for retailers."
In 2014, IBM says the main mode of attack was unauthorized access via Secure Shell Brute Force attacks vs. malicious code, which was the top method in 2012 and 2013. As attacks against retailers and consumers have progressed from theft of an actual credit card to website cloning to attacks on POS systems, a main weakness of many POS systems is that data is stored in a decrypted state in order for transaction authorization to take place.
The Privacy Rights Clearinghouse says that 260 million retail records have been leaked, lost or stolen in the U.S. since 2005, although IBM believes it is much higher because of occurrences where no total losses were reported. Major retail breaches have so far affected The Home Depot, Target, Sony PlayStation Network, Sony Online Entertainment, TJX, and many others.
Key factors in major breaches so far, according to IBM, have been outdated wireless encryption systems, failure to install firewalls, failure to implement security software already purchased, phishing attacks targeting employees with POS malware, and using operating systems with security vulnerabilities that haven’t been patched.
IBM provides a number of recommendations to retailers, some of which seem pretty basic:
- Retailers should not use default passwords when installing POS systems;
- Ensure that POS software applications are updated and using the latest patches;
- Protect POS systems with a firewall;
- Update antivirus programs that protect POS systems;
- Restrict access to POS system computers or terminals;
- Disallow remote access to the POS system.
In an interview with RetailWire, John Kuhn, a senior threat researcher at IBM Managed Security Services, said, "Many large retail breaches happen because the most basic retail security best practices are not being followed. In addition to the basics, retailers need to have tight control, monitoring, and updating of their POS systems, which in part is not happening because the systems have to be taken offline for updates. And retailers definitely need to use POS systems just for POS and not allow employee access to the internet via these systems."
BrainTrust
Discussion Questions
Do you see the cybersecurity threat to retail getting more or less severe? What are the most important things retailers can do to secure their POS systems and their customers’ data?
Poll
Loading …
I am shocked that “not using default passwords” has to be recommended. It seems to me that retailers need to take data protection as seriously as they take data collection or as seriously as they would want their own personal data to be taken.
Cybersecurity will continue to increase until we recognize that our outdated system of physical cards, numbers, and user IDs need to be updated and totally replaced. We have electronic Iris Scans, Face Scanners, and other forms of identification that are superior to the use of numbers, yet still retain the ability to be unique and secure. These should be used (the government uses these), while providing multiple layers of security (3 levels of confirmation). Most importantly, our wallets, checkbooks, and credit cards all disappear. Instead we have personal identification with multi-layer support that is using simple voice, iris, and facial scans captured at the point of purchase, or on our phones, etc.
Everything in this discussion article seems to point to retail Point of Sale (POS) systems. I have no doubt that this is where the problem is and will remain for some time to come. The reason is simple, current POS software and hardware is from pre-wireless and pre-internet days. That would make these systems over 25 years old at best. Some of the new names in retail POS systems are not from scratch developments or used go-to code for investment savings purposes.
In the open systems environment, good enough isn’t cutting it and the lawsuits being negotiated as we speak will demonstrate this once and for all by way of settlements and bench legislation.
Many retailers are undoubtedly too lax in their security measures, but many are also confused. There is a range of guidelines and stipulations from state agencies, differing from state to state.
President Obama, in an address to the FTC today, proposed new federal legislation aimed at curbing online fraud and protecting digital privacy, while making sure companies bear the brunt of responsibility when breaches occur. “This is a direct threat to the economic security of American families, and we’ve got to stop it,” the President said.
Of course, he’s calling for bi-partisan support from Congress on an issue that one would think should be high on the agenda of both parties … but we all know how that goes.
I think this study shows some definite trends that need to settle before we make broad statements. The hackers will always be challenging the security providers. In the meantime, as we see the cost of a data breach on the rise, I see the threats also rise within the retail industry, specifically. For the first time, however, the research reveals that having business continuity management involved in the remediation of a breach can help reduce the cost of it.
Unfortunately, there will always be criminals. The cyber-crime is still happening, and the good people will try and put up a strong fight against them. The reality is, that once retailers put a good secure system in place, the cyber-criminals find away around it. It is better, but still not perfect.
While retailers do what they can to prevent cyber-crime, they can also insure against it. Companies like AllClear ID will insure each and every customer that does business with the retailer, protecting them by reimbursing any losses due to data breach, identity theft, etc. While this may not prevent the crime, it gives the customer a sense of security and confidence in the companies/retailers they do business with.