When people think of security threats that retail organizations face every day, their initial thoughts are often data breaches and cyberattacks. That is no surprise, as these incidents are what usually makes headlines. According to the 2018 Cost of Data Breach study, the retail industry ranked fifth in frequency of data breaches.
Since the dawn of the digital age, we’ve fought cyber pirates with tools like firewalls, encryption, strong passwords, antivirus software and white-hat hackers.
But with so much attention on combating cyber risks, we sometimes forget about the other side of the coin: the risk that proprietary data will be physically removed from a retail company’s headquarters, corporate offices, warehouses or even their data centers.
These threats have the same high stakes, which means the physical protection of private company files and customer information like credit card numbers and addresses is of equal importance.
In a survey conducted by Deloitte on cyber risk in retail, respondents cited the three most concerning sources of attacks as: organized criminals, disgruntled employees or former employees, and accidental misuse by authorized users. But many organizations’ IT or security personnel rarely consider on the fact that current employees or outside contractors can use a flash drive or other device to steal private company data from one of their facilities.
To remain vigilant, retail companies must focus on four main risks to physical data security when creating a comprehensive approach to protecting critical assets.
Risk 1: The Insider Threat
Every retail company has at least one disgruntled employee working for them, whether they know it or not. That means every organization is at risk of having data walk out the building with that employee.
People steal data from their workplaces because they see some means to an end, whether it’s to expose something embarrassing or damaging due to a personal vendetta, or because they can sell it to a competitor or the media and benefit financially. In fact, they don’t even need to be disgruntled; they might just want a quick way to make a buck.
Risk 2: The Outsider Threat
Retail companies need to be wary of threats from outsiders as well.
These can come in the form of the corporate spy—someone specifically hired to pose as a legitimate employee or private contractor in order to extract information—or the opportunistic thief—a contractor hired to work on a server or in sensitive areas, who sees an opening and seizes it.
Either one is equally damaging to sensitive data because of the physical access they have.
Risk 3: The Seemingly Innocent Personal Item
Two types of personal items can be used to steal data: the commercially available off-the-shelf (COTS) variety, and the intentionally disguised variety.
COTS devices include SD cards, external hard drives, audio recorders and even smartphones, any of which can be used to transport audio, video and computer data in and out of a building.
Intentionally disguised devices could be a recording device that looks like a car key fob, or a coffee mug with a USB drive hidden in a false bottom.
The difference between COTS and disguised devices is that if one gets caught with a COTS device, security will know what it is and can confiscate it. The disguised device looks like a security-approved item anyone could be carrying into the workplace, making it especially devious.
Risk 4: Poor or Nonexistent Screening
This risk creates or amplifies all of the other three. Whether it’s an employee, an outside contractor or a device, the physical security risks are real, and everyone and everything entering and leaving a building needs to be screened.
Unfortunately, screening often either isn’t occurring at all, or is ineffective or inconsistent when it does occur.
This is a huge mistake, and the consequences can be dire. They range from loss of customer trust, exorbitant lawsuits and tanking stock prices in the private sector. Costs and resource use increase as well during efforts to reactively fix or mitigate the effects of physically stolen data.
The risk has never been greater that information will be physically removed from a building on a piece of hardware. Years ago, it was much harder for the average individual to figure out where they could sell stolen data. Now, with the Deep Web, anyone with Tor can access forums requesting specific information from competing spy agencies, increasing the likelihood people will try it.
The good news is that all of these threats are avoidable.
Combating the Physical Risks to Data Security
Not long ago, the building/physical security department and the IT/cybersecurity department were considered two different entities within an organization, with little overlap or communication.
Organizations now are realizing that, because of the level of risk they face from both internal and external threats, they must take a holistic approach to data security. Physical data security and cybersecurity must be considered the yin and yang of an airtight policy that effectively protects sensitive or confidential assets from a malicious attack.
Technology to Enable Physical Data Security
Electronics such as hard drives, cell phones, smart watches, SD cards, and recording devices have a magnetic signature because of the ferrous metals inside them. Using a ferromagnetic detection system (FMDS) as people enter and exit a building or restricted area means that anything down to a small microSD card triggers an alert, allowing confiscation or further action as needed.
FMDS uses passive sensors that evaluate disturbances in the earth’s magnetic field made by something magnetic moving through its detection zone.
Although it is a passive technology, it is more effective and reliable than using hand wands or the walk-through metal detectors typically seen in an airport, which cannot detect very small ferrous metal objects.
Recognizing the existing threats, putting together a holistic security strategy, and using the right technology to detect illicit devices comprises an effective three-pronged approach to protecting an organization’s data.
Strong countermeasures are necessary because data loss can come from both inside and outside, in both private and public sectors, from places not everyone considers. With technology like FMDS acting as a backup to the human element, organizations can lock down their data and keep the wolves in sheep’s clothing from getting in the door.
This post was originally published on February 6, 2019 and updated May 23,2019.