“When it comes to dealing with data breaches and other data security issues in the business world, there are basically two kinds of companies–Those that have discovered that they’ve been breached, and those that have been breached and don’t know it.”
While this may be a strong statement, it offers an equally powerful message to the retail community. Brian White leads the global advisory services business for the Chertoff group, a global security advisory firm that provides clients with high-level security strategies that are designed to help manage risks and protect against a wide spectrum of business threats. “Our objective is to help companies grow by adjusting and responding to the security risks of a global marketplace,” he adds.
In this capacity, White works with a broad range of clients that are seeking a new strategic direction to meet their growth objectives. He primarily focuses on cyber-security and innovative technology. The Chertoff Group has been working with the National Retail Federation to assist the retail industry in dealing with security issues, including the theft of credit and debit card data.
The retail industry has become a primary target for malicious cyber activity, with both individuals and criminal networks trying to steal financial information, identity information and credit card information. But issues have the potential of going even deeper. As demonstrated by recent U.S. indictments against Chinese military officers accused of stealing trade secrets from American companies, there is even the potential for business strategies, processes, products, and other valued information to be targeted by nation states seeking to pirate intellectual property and related business assets.
“There are also many ways that these data breaches can occur,” states White. “That’s part of what makes it such a complex issue. Some methods are fairly unsophisticated, exploiting people’s natural inclination to trust others, for example. False emails may be sent to company employees, encouraging the employee to open a file or download a link that allows the criminal to back their way into the network and ultimately exposes the business to the intrusive malware–a process commonly referred to as ‘spear phishing.’ Other methods may be much more sophisticated, with the cyber-criminals investing in any number of intricate tools that will allow you to hack into the system.”
While data breaches and related threats can never be eliminated entirely, a key aspect of any protection policy is managing the potential risks. This involves understanding where your vulnerabilities may occur, what the potential consequences might be, and working together internally as a team to minimize those vulnerabilities. This is where retail must continue to build the bridges within our existing infrastructure.
Throughout the retail environment, the LP and IS/IT departments typically have very different roles and responsibilities. Their functions within the organization are carved from distinctive stones, dissimilar in origin, structure, balance and purpose. In many ways, they even speak different languages. However, there is also common ground, and a working relationship based upon shared tasks and accountabilities. It is this relationship that must continue to evolve.
“When dealing with data risks in the retail environment, there’s increasingly a link back to the LP teams. The investigations function is particularly valuable, and a unified strategy only makes good sense. For our security functions to be most effective, our professionals must be a collective enterprise,” says White. This requires a comprehensive approach:
- Recognizing our vulnerabilities to mitigate the risks. This may also include consulting with specialized professionals to establish controls, ascertain roles and responsibilities, and determine effective and efficient protocols.
- Increased communication and enhanced cooperation. This is a shared responsibility, and must flow both ways. There must be shared perspectives and open channels to build these bridges.
- Additional training. Everyone responsible for protecting this information must have a strong awareness of the tools and the power of the data, along with the knowledge and skills to manage the risks.
With the depth, magnitude, and global reach of several recent data breaches as well as the repercussions for the businesses and their brands there is clearly greater awareness; and companies have become much more sensitive to the threat. But this awareness must be coupled with continuing education, proactive controls and actionable plans.
“Every company should start with the proactive assumption that their perimeters can and will be breached,” states White. There must be a layered defense that would include:
- Appropriate tagging and classifying of data based on importance and sensitivity
- Robust policies and procedures that clearly identify security expectations
- Strong password policies, network controls, and access controls–to include third party controls
- Maintenance protocols and keeping software up-to-date
- Appropriate education and awareness to keep our teams current and informed
- A quick and diligent response and recovery plan in the event of an intrusion
- Continuing and persistent evaluation and updates as necessary and appropriate
Every organization must evaluate their risks and exposures and establish best practices based upon their specific business needs. However, that approach should not focus solely on compliance. What you really have to do is take an active, functional approach to the business, determine the risks, and then make informed, intelligent decisions based on the needs, vulnerabilities, and resources available to the organization.
Data security is vital to the success of our businesses in many ways, and every retail professional has a responsibility to remain educated and informed. As the experts are quick to remind us, that means that we must take the steps to listen, as well as to be heard. We have to build partnerships as well as learning opportunities, and work together to find solutions. We must arm ourselves with information, and make swift and sound decisions when called upon. We have to expect the battles, and win the war.
To learn more, read “Building A New Data Security Defense Team” from LP Magazine.