Building A New Data Breach Policy

data breach policy

As technology draws us deeper into a new age of business enterprise, we are continuously bombarded with challenges and opportunities involving those with malicious intentions. Data security attacks come at us from every direction as the ingenuity of criminal minds seek new and creative ways to infiltrate our information resources and engage in cyber warfare against our businesses.

In order to survive these intrusions, retailers must fight back. We have to defend our ground and take the necessary steps to combat the threat. This requires that we build a solid data breach policy and recruit the data security resources that will help us win the battles. We must become cyber warriors in our own right, defending our computer and information systems against those seeking to seize and exploit the lifeline of our business.

Hackers and like-minded data security mercenaries wage war using information technology to assault our computers and information systems through cyber-related strategies. In the retail space, we primarily have thieves looking for personally identifiable information that can be exploited and turned into cash. But hackers also target organizations for their R&D assets, intellectual property, and corporate strategies, among other motivations.

Digital Partners

To win these wars, we must find better ways to secure our systems by building awareness, educating our teams, finding and closing vulnerabilities, and developing a collaborative data breach policy to protect our resources and defend our customers and our companies.

Our greatest opportunity to overcome these intrusions is through a comprehensive approach that includes information sharing and best-practice protocols that support a joint data security defense team. To prevail over this imposing threat to the business, we have to work together.

A team is at its best when the offense and defense work well together. LP Magazine intends to take this fight to the offensive by providing information and resources that can be used to support our efforts and strengthen our sentinel. In the process, we’ve attended multiple seminars and interviewed data security thought leaders and cyber security experts to provide a more comprehensive perspective.

The Influence of Retail

“Retail is the lifeblood of the American economy,” said Michael Chertoff, former US Secretary of Homeland Security, at the June 2014 National Retail Federation (NRF) loss prevention conference. “Having a safe space to operate is critical to the successful operation of the business.”

According to the US Department of Labor, the retail trade sector is one of the nation’s largest employers. Studies show that total retail sales in the US topped $5.5 trillion in 2015. While no surprise to those leading the industry, these numbers make it apparent that cyber threats can not only impact the retail sector, but can also have a substantial influence on the growth and stability of our economy as a whole.

Chertoff,  now the executive chairman and co-founder of the global security advisory firm The Chertoff Group, feels that cyber security issues have not received the type of front-line attention that some of the more visible and obvious risks have obtained. With some of the recent data security incidents that have brought the issue front and center, it is becoming increasingly clear that these types of cyber threats must become a business priority.

“We’ve seen broad exposure of systemic vulnerabilities in our company infrastructures,” Chertoff said. “Businesses are collecting more personal information about customer preferences, locations and behaviors, not to mention credit card numbers. Organized groups have become sophisticated in their efforts, using strategies that are complex and well planned.”

Did you ever consider that something as simple as a thermostat could leave your company vulnerable to a cyber attack? To help keep customers comfortable and shopping at a store, it’s common for retailers to routinely monitor temperatures and energy consumption in stores to save on costs and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range. Often, this process is completed with the assistance of an outside service provider with specific expertise to keep the system efficient and cost effective. Yet this seemingly mundane process opened the door for access to a company’s database, leading to one of the largest, most damaging data breaches in retail history.

Whether data security vulnerabilities are introduced by employee errors or negligence, disgruntled employees, partnering companies, or some other weak link in our systems or procedures, the risks are formidable, the possibilities are only bound by the creativity of the criminal element, and no business is exempt from the threats.

“Data security is about risk management, not risk elimination,” said Chertoff. “There has to be a strategy for managing the risk built on realistic expectations. You have to understand what you’re facing so that you can make intelligent decisions. There must be a full understanding of the threat, of the consequences, and an assessment of the company’s weaknesses and vulnerabilities and how they fit within the business.”

Arming Ourselves with Data Security Experts

Many businesses are aggressively pursuing different avenues to improve cyber strategies and provide data security training and awareness opportunities for company leadership. Industry conferences have taken significant steps to offer quality sessions that provide information, guidance, and direction on how to build a data breach policy. Companies are bringing in top experts to consult with their teams, perform vulnerability assessments, and educate both staff and company leadership.

Various conferences held across the country also specifically focus on data security issues–some intended for industry experts, and some for business leaders at different levels and areas of responsibility. Larger events would include the RSA conferences, which attract some of the best and brightest in the field through annual conferences in the United States, Europe, and Asia. Other conferences may focus on specific or more intimate audiences to heighten awareness and maximize the learning experience, such as the Cyber Security Summit. All of these efforts are intended to improve our skills, keep our professionals connected, and increase awareness of these critical business concerns.

“In many ways, we have been short-handed when it comes to cyber warriors,” said Ken Fuller, former executive vice president for the Cyber Security Summit. “We’ve had tremendous success bridging the gap by bringing in data security experts and educating leadership regarding what’s going on and how we can better defend ourselves. By identifying and securing thought leaders that can successfully communicate the message, educate them on what to look for, and help determine the weakest link, we can help our enterprises approach technology issues with a broader perspective and a sharper focus.”


The Power of Social Media

By using web and mobile technologies to turn communication into interactive dialogue, social media creates an effective channel for individuals and groups of people to connect, interact, create, and share.

With businesses constantly positioning to make news, build their brands, improve communications, and grow their customer base, companies are using email blasts and a plethora of platforms to include Facebook, Twitter, LinkedIn, and YouTube to market their products and services. These powerful tools can have significant influence on awareness, acceptance, and behavior. They play an important role in marketing strategies and are a common vehicle used by many employees to network and communicate with one another. Unfortunately, these same resources are opening doors to data security issues.

Finding the Weakest Link

“When cyber criminals are looking for ways to breach our systems, the starting point to penetrate our information typically has nothing to do with the use of credit cards, even when that’s the information that they’re attempting to obtain,” said James Foster, founder and CEO of ZeroFOX. “But they have to get in somewhere. So what is the best way in? Attackers will look for the weakest link and a way in that exploits or manipulates the system at a point of vulnerability. They’ll often use tools that have mass adoption—even if it fails a thousand times, the one time it does work gets them in. They are looking for a more covert way to get into the system—one where they can feed on the user’s trust and delay detection. When you put it together, the easiest venue to leverage is social media.”

In our push to get ahead in the competitive business world, Foster commented that information technologies must reap immediate benefits. As a result, the technology can be significantly ahead of the controls. “Security measures can lag behind three to five years,” he added. “A company’s number-one asset is its people. This is a common thread and a prime opportunity for access. Ninety percent or more of the malware is getting in through social media.”

Foster went on to describe a simple scenario as an example. If a hacker wants to break into XYZ Company, they may create an online persona that mirrors the brand’s logo, verbiage, and marketing style. They build the false content using one of many social media platforms, along with a link that says “XYZ Company Rocks.” If an employee were to open the link, it can then open the door for the hacker to breach the company.

While it may sound like a simple strategy, hackers have become experts at disguising their intentions—and it may only take one unsuspecting employee to be successful. Regrettably, this is only a single example of a problem with prospects only limited by the imagination and ingenuity of the hacker. This is the challenge, and only one of many data security issues that we can face.

Defense in Depth

So, how do we combat these problems?

“Unfortunately, existing plans are ninety percent reactive, which is like patching cracks in a dam with bubble gum.” Foster said. “There has to be a plan, a defense-in-depth strategy that proactively addresses data security.” In the information world, it’s about firewalls, intrusion-detection systems, two-factor authentication, and encryption. These defenses are layered to make them more resilient. But there has to be more. Our defenses must include a data breach policy and a partnership that effectively creates a unified team to combat these cyber threats. This involves a comprehensive approach that would include:

  • A knowledgeable and educated team that communicates well and works together
  • A diverse team that can provide different perspectives and offer comprehensive value
  • Expert external opinions that provide guidance and will objectively review the data breach policy
  • An adequate budget
  • Privacy and compliance policies
  • A framework and foundation for governance

“As retailers expand their offerings and push online services, internal and external policies, roles and synergies must be reevaluated, and a collaborative security strategy that includes loss prevention absolutely must be part of the conversation,” said Foster. “The success of the organization simply depends on it.”

Building Bridges

“When it comes to dealing with data security issues in the business world, there are basically two kinds of companies—those that have discovered that they’ve been breached, and those that have been breached and don’t know it.”

The retail industry has become a primary target for malicious cyber crime, with both individuals and criminal networks trying to steal financial information, identity information, and credit card information. But issues have the potential of going even deeper. As demonstrated by recent news stories, there is even the potential for business strategies, processes, products, and other valued information to be targeted by nation-states seeking to pirate intellectual property and related business assets.

“There are also many ways that these data breaches can occur,” said Brian White, who formerly led the global security services for The Chertoff Group. “That’s part of what makes it such a complex issue. Some methods are fairly unsophisticated, exploiting people’s natural inclination to trust others, for example. False emails may be sent to company employees, encouraging the employee to open a file or download a link that allows the criminal to back their way into the network and ultimately exposes the business to the intrusive malware—a process commonly referred to as ‘spear phishing.’ Other methods may be much more sophisticated, with the cyber criminals investing in any number of intricate tools that will allow you to hack into the system.”

While such threats can never be eliminated entirely, a key aspect of any data breach policy is managing the potential risks. This involves understanding where your vulnerabilities may occur, what the potential consequences might be, and working together internally as a team to minimize those vulnerabilities. This is where retail must continue to build the bridges within our existing infrastructure.

Throughout the retail environment, the LP and IT departments typically have different roles and responsibilities. Their functions within the organization are carved from distinctive stones, dissimilar in origin, structure, balance and purpose. In many ways, they even speak different languages. However, there is also common ground and a working relationship based upon shared tasks and accountabilities. It is this relationship that must continue to evolve.

“When dealing with data risks in the retail environment, there’s increasingly a link back to the LP teams. The investigation function is particularly valuable, and a unified strategy only makes good sense. For our data security functions to be most effective, our professionals must be a collective enterprise,” said White. This requires a comprehensive approach:

  • Recognizing our vulnerabilities to mitigate the risks. This may also include consulting with specialized professionals to establish controls, ascertain roles and responsibilities, and determine effective and efficient protocols.
  • Increased communication and enhanced cooperation. This is a shared responsibility and must flow both ways. There must be shared perspectives and open channels to build these bridges.
  • Additional training. Everyone responsible for protecting this information must have a strong awareness of the tools and the power of the data, along with the knowledge and skills to manage the risks.

With the depth, magnitude, and global reach of several recent data breaches as well as the repercussions for the businesses and their brands, there is clearly greater awareness to the point that companies have become much more sensitive to the threat. But this awareness must be coupled with continuing education, proactive controls, and an actionable data breach policy.

“Every company should start with the proactive assumption that their perimeters can and will be breached,” said White. There must be a layered data security defense that would include the following:

  • Appropriate tagging and classifying of data based on importance and sensitivity.
  • Robust policies and procedures that clearly identify security expectations.
  • Strong password policies, network controls, and access controls to include third-party controls.
  • Maintenance protocols and keeping software up-to-date.
  • Appropriate education and awareness of the data breach policy to keep our teams current and informed.
  • A quick and diligent response-and-recovery plan in the event of an intrusion.
  • Continuing and persistent evaluation and updates as necessary and appropriate.

Every organization must evaluate their risks and exposures and establish best practices based upon their specific business needs. However, that approach should not focus solely on compliance. What you really have to do is take an active, functional approach to the business, determine the risks, and then make informed, intelligent decisions based on the needs, vulnerabilities, and resources available to the organization.

Perception versus Reality

Recent data security attacks on retailers have focused the attention of the entire retail community on these cyber crimes, and all have an important connection in cyber security expert and noted blogger Brian Krebs. A journalist and investigative reporter who broke the news on several prominent data breaches, Krebs is best known for his coverage of profit-seeking cyber criminals. However, beyond his experience, it is his sharp instincts and insightful approach that help him stand apart. In 2014, he gave a presentation at the NRF loss prevention conference and shared some thoughts that should make all of us take notice.

When it comes to protecting our critical information, Krebs stressed the concept of perception versus reality—how secure you actually are versus how secure that you think you are.

“Most companies think that the automated tools that they have do a pretty good job at protecting them from these cyber attacks,” he said. “But where they really need to focus more of their data security budgets is on the people to help them interpret all of the stuff that’s being put out, and how to respond to it. Too many organizations spend way too much emphasis on the tools, and not enough on the people.”

Reflecting on several of the incidents that have garnered his energy and attention, Krebs feels that companies typically have all of the information that they need to figure out that they’ve had a data breach, but no one is looking at and interpreting that information. He emphasized the importance of communication, teamwork, and talent. He then proposed the following model to guide those efforts:

  • Identify and protect your soft spots—Determine what information that you feel is vital to protect.
  • Know your enemy—Figure out who you’re likely to be targeted by and what information they want.
  • Invest in talent—Too many organizations rely on automation for security rather than talent. Get smarter about how you spend your security dollars. For example, few companies have a chief information security officer (CISO). Invest in people and leadership.
  • Look beyond compliance—A primary opportunity lies in a failure to act on information that has already been gathered.

“For too many organizations, it takes a major data breach to get religion,” he says. Do we really need to experience another incident to find a common creed?

When describing himself on his blog, Krebs reveals, “Much of my knowledge about computers and Internet security comes from having cultivated regular and direct access to some of the smartest and most clueful geeks on the planet.” Maybe we should all take his lead.

Moving Forward with Your Data Breach Policy

Data security is vital to the success of our businesses in many ways, and every retail professional has a responsibility to remain educated and informed. As the experts are quick to remind us, that means that we must take the steps to listen, as well as to be heard. We have to build partnerships as well as learning opportunities, and work together to find solutions. We must arm ourselves with information, and make swift and sound decisions when called upon. We have to expect the battles, and win the war.

For many of us, this is new territory. For others, it is an opportunity to refocus and remind ourselves of the importance of communication, cooperation, and teamwork. For all of us, it is an essential message that we must always strive to learn, flex, and adapt. We have to look at our teams and our business in a new way. There is a new paradigm in retail, and we’d better step up to the plate.

For more on this topic, see “The Challenges in Dealing with Data Breaches—A Cybersecurity Panel Discussion” from the 2014 Retail Industry Leaders Association (RILA) asset protection conference.

This article was first published in 2014 and updated June 15, 2017.

Stay up-to-date with our free email newsletter

The trusted newsletter for loss prevention professionals, security and retail management. Get the latest news, best practices, technology updates, management tips, career opportunities and more.

No, thank you.

View our privacy policy.

Exit mobile version