As we approach another season of shopping and consumerism, the retail industry should pay strict attention to the findings in the latest Verizon’s Data Breach Investigations Report (DBIR), an annual data breach information study conducted by the Verizon RISK Team (VERIS) with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzed forensic evidence to examine how data breaches occurred in organizations, who caused the breaches, why they did it, how the victims responded, and how the breaches could have been prevented. 

 The 2012 DBIR focused on the retail industry which for the past two years has ranked only second behind hotel and food services as the business most plagued with data breaches.  The main reason for the high rankings of these two trades is that they use point of sale (POS) systems to conduct daily business activities, making them prime targets for criminals that exploit POS systems with weak security.  Point of sale generally refers to when money is transacted in exchange for goods or services. Retailers are especially easy targets for cyber criminals who can hijack credit card information from long distances and these kinds of attacks are low risk for the criminals who often disappear long before a data security breach is discovered.  In addition, fraudsters prefer to target small to medium businesses such as franchise owners that lack the resources and/or expertise to manage their own cyber security. 

 VERIS defines threat agents as the cause of data breach incidents and categorizes them as either external (originating outside the victim organization), internal (originating inside the victim organization) and partner (any third parties who share a business relationship with the victim.)  The report found that external threat agents were the most prolific with the majority of attacks originating fromEastern Europe, a hot bed of organized cyber crime.  Internal threats made up a smaller percentage of incidents and often involved criminals coercing retail staff to help them by either using a remote skimming device or swapping legitimate PIN entry devices and POS terminals with identical, counterfeit replacements that are rigged to capture payment card data. 

 Even though these cyber thieves can be insidious, especially during a busy holiday season, retailers can protect themselves by following a few simple data breach protection practices:

1)      Change passwords consistently on all POS systems since hackers constantly scan the web for passwords that are easy to guess.

2)      Implement a firewall on remote access/administration services.  

3)      Do not use POS systems to access the internet.

4)      Make sure your POS system is compliant with the Payment Card Industry Data Security Standard (PCI DSS) an information security standard for businesses that handles credit card information.

It’s easy for organizations to get discouraged by the proliferation of high-wire data breaches these days.  After all, if global companies can fall prey to damaging cyber attacks, what hope is there for businesses that aren’t brand name organizations?

The sense of vulnerability against hackers isn’t without merit.  A recent Ponemon Institute study concluded that cyber attacks are as reliable as rain; 90 percent of surveyed businesses were attacked at least once in the previous year, with almost half stating that there was a notable increase in cyber attacks, and 77 percent claiming that attacks had become more severe or difficult to contain.  Even the chairman of Ponemon concedes that the dream of complete security is somewhat futile, and other experts echo that there’s no solid protection against determined hackers.

The solution, experts say, is to shift from the goal of perfect security to active monitoring.

This security mindset is the opposite of the “can’t happen to me” mentality common amongst security professionals, according to a recent Tenable Network Security study.  The report noted that more than 90 percent of attendees surveyed at the 2011 Gartner Security & Risk Management Summit discussed large-scale, high-profile breaches with senior management, yet only 23 percent did anything beyond that.

One of the study’s conclusions was that security professionals had been getting by with “good enough” security measures that were adequate for auditing purposes, while being far from sufficient to truly bolster businesses against attacks, including insider threats.  Indeed, while a recent Verizon Business Data Breach Investigations Report revealed that insider threats are one of the leading sources of data leakage and theft, and nearly half of Tenable’s surveyed businesses stated that they had experienced some type of insider threat, “preventing insider threats” ranked second to last as a security priority.

What has become clear is that regulatory compliance isn’t the same thing as security.  Careless employees, which are amongst a company’s biggest security risk, can upend the best technologies and practices.  Moving data to the cloud sounds like a secure measure, until the hosting company itself gets hacked.  Think you’re safe because your organization is small?  Wrong.  Criminals are now targeting small businesses because their security measures are often weak.

Some experts advise companies to recognize their vulnerability and the fruitlessness of trying to plug every hole (although certainly endeavoring to do as much as they can in this regard).  Instead, a company’s efforts are best spent monitoring every aspect of its web traffic and reacting when new threats are identified.

Constant monitoring and always-on security can be enabled by the following steps:

1. Deploy preventative network and endpoint protection.
2. Evaluate your assets and protect them accordingly.
3. Enforce encryption and data copying policy (so, for example, if a laptop gets lost, no one can break in and pull out that data).
4. Deploy proactive data loss prevention technology.
5. Focus on best practices and impact scenarios so that your staff knows what to look for in the event of a breach.
6. Train users on sensitive information handling.
7. Think like a criminal in order to catch one.
8. Try to penetrate your own organization to see if your security defenses are up to par.

Strong cyberdefense means strong planning to mitigate the risks of a breach, strong support to help your organization fight against hackers, and a strong cup of coffee to keep your security vigilant around the clock.  After all, hackers never rest, so neither can your organization’s cyberdefense.

It seems as though every day the news headlines trumpet another high-profile data breach.  The most recent marquee breach is courtesy of a Sony PlayStation Network hacker, whose attack on the Sony and Qriocity servers between April 17th and 19th have compromised the personal data and, possibly, stored credit card information of 77 million players.  (Yes, you read that right; 77 million.)  Combine that with other recent cyber-heists affecting millions of unsuspecting consumers or residents, and many organizations have been forced to send out a dizzying array of email notifications to their customer base, many – if not all – of whom are now vulnerable to spear-phishing attacks.

With numerous different breaches affecting so many people as of late, millions of consumers are receiving emails from trusted brands noting that customer emails (and perhaps other information) have been compromised, so consumers should be wary of future emails that may appear to be sent from them…like the one they’re reading now.

Got that?

This begs the question of whether customers are starting to tune out to the onslaught of breach alerts flooding their email in-boxes.

Some security gurus believe that notifications aren’t effective and customers become numb to these alerts.  Others are convinced that breach information overload is a good thing, educating people to the dangers lurking in the cybershadows and their vulnerability to identity thieves.  After all, how do you know to watch out for email “bait” if you’re not aware there’s a phishing hook with your name on it?

Furthermore, the flip side of over-notification is under-notification.  This is something that Sony is now being accused of in a lawsuit that claims the company waited too long to notify its PlayStation customers of the recent breach, which only exacerbated customer vulnerability to credit card fraud.

The irony is that while the dramatic breaches of late have been stealing headlines (as well as data), a 2011 Data Breaches Investigations Report by Verizon indicates that total thefts from data breaches have in fact declined significantly over the past few years.  The total number of records actually compromised from these breaches was a “mere” 4 million in 2010, quite a drop from the 144 million records compromised in 2009, and the 361 million compromised records in 2008.  The bad news?  If you look at actual data breaches versus compromised records, the numbers this year are up; 760 breaches last year, an increase from 141 in 2009.

The bottom line: while fraudsters haven’t been able to recently score as much cyber-loot as in times past, this is no time to relax.  Just be aware that with the steep increase in breaches comes an equally steep increase in breach notifications, and the associated risk that breach notification fatigue will put your customers to sleep.

A big fear of business leaders and privacy professionals alike is the accidental breach of customer personally identifiable information (PII) either through the loss or destruction of company property, such as a laptop, by an employee.

However, the 2010 Verizon Data Breach Investigations report points to a different data privacy threat that is farther reaching than that of a laptop left on a plane.  The report indicates that organized crime is responsible for 85% of all stolen data in 2009. Cyber-criminals were able to take advantage of login credentials on nearly 40% of the data stolen to potentially inflict credit or financial damages on individuals. However, the study points to 98% of the ensuing data breaches being avoidable through simple controls that were not in place. Read more about this report on CNET.

Does this study indicate that companies are not doing enough to protect their customer data?  According to a 2009 Ponemon study, 70% of IT professionals in the healthcare field, for example, believe that senior management does not view privacy and data security as a top priority. The study also shows that over 60% of IT professionals surveyed believe they do not have enough resources to ensure data security requirements are met.

All too often security is not discussed until a data breach takes place. A breach may result in reduced customer trust, lost revenue and substantial costs associated with resolving the crisis.  It may be time to start the internal conversation to ensure the right systems are in place to protect customer data…before it’s too late.