High-profile data breaches and You

Things to keep in mind

13/03/2014

 

Target's high-profile data breach provides an excellent opportunity for retailers to take a step back and examine the security of their systems.

Already amounting to millions of dollars in expenses, the cyber attack on Target's system reveals the urgency with which merchants must bolster their defenses and ensure best practices are being followed throughout their operations. 

Proper security must be a top priority

Not only do data breaches have the potential to carry mammoth price tags, they're also a public relations nightmare. Exposing customer information can have a long-lasting impact on business.

"Retailers collect a lot of information from their customers, who trust them to manage it responsibly and keep it protected," said Retail Pro International CEO Kerry Lemos. "In its recent public statement the FBI has warned retailers that more attacks mirroring the Target breach are most likely on the way, so it's critical for merchants to evaluate their systems and implement measures to safeguard their data." 

Early reports focused on point-of-sale systems as the center of the Target breach. While payment data was extracted and hackers are targeting POS systems, a deeper analysis reveals that vulnerabilities in network systems are the true culprits opening doors to criminals.

Attackers were apparently able to hack into Target's system through a contracted HVAC worker's account. Analysts now believe that the hackers penetrated Target's internal network through a poorly secured contractor account, compromised the Windows file server and then attacked the retail management system, Security Intelligence explained. 

"Retailers must tighten their security standards throughout their network to protect customer data and keep malicious malware from their servers," said Kevin Connor, Director of Product Strategy at Retail Pro International. "The issue goes much deeper than transaction points. While the Payment Card Industry Council regulates PCI standards, complying with them is not sufficient to protect against attacks. Instead, comprehensive security must encompass the entire network."

Protecting the system

There has been much discussion about better ways to handle electronic transactions, including implementing technology like chip-and-pin cards, which offer greater levels of protection. However, these measures don't cut to the core of the problem: Poorly managed systems and devices connected to the outside world can create entry points for criminals to install malware and extract information.

To ensure that the transactions themselves are secure, retailers must choose appropriate electronic fund transfer services. There are many EFT products and platforms that can be integrated with the retail management system and are PCI compliant, offering fast, secure transactions. EFT systems should foster confidence in consumers and allow them to choose convenient payment methods.

In addition to the EFT component, retailers need to implement best practices to safeguard their entire system.

"Like in any other industry, retail IT managers need to secure their systems with top-notch, comprehensive anti-virus software, responsible encryption and password practices, as well as ongoing maintenance to mitigate weaknesses in system infrastructure and applications," Connor said. "This must be applied not only to the central infrastructure but to all devices that can access company resources."

If store employees use their own devices to connect with the retail system or contractors access system information on their own computers, retailers should enforce policies that require appropriate security measures. Overall, retailers should assess the security of their entire computer system, making sure they're following proper protocol with strong passwords, up-to-date retail management software and applications, firewalls, anti-virus and controlled user access.

In the end, breach’s toll is far more than the direct liability. The hit to customer loyalty and trust carries with it a huge price tag in of its own.  Target, for instance, reported a 22.4 percent drop in quarterly earnings (compared to previous year) immediately following the announcement of the data breach and recovery via the rebuilding of consumer trust will take time.   

To avoid extreme situations such as this, security within the retail organization requires constant vigilance and needs to be an ongoing process. With threats on the rise and people highly concerned about information security, now is the time to bolster defenses and take an informed, well-orchestrated approach to managing retail data. The stakes are too high to do anything else.

Source: Retail Pro International, LLC