If you’re the CIO of a retail company like Carphone Warehouse, Target or T-Mobile, do you rest easy at night knowing your company’s data is safe and secure, or do you feel constantly on edge about the next attack?
These three companies, as you probably know, have fallen victim to high-profile cybercrimes in recent years.
- Carphone Warehouse had the personal data of 2.4 million customers breached in August 2015.
- Target recently shelled out $10 million to victims of a major credit card fraud that happened in 2013.
- And just this June, a T-Mobile employee was caught trying to sell the data for 1.5 million customers to a third party.
The escalating nature of cyber threats should concern all businesses in the retail space. Retail fraud was the No. 1 most reported type of online crime in the UK in 2015, rising 71% to 8,163 reported cases in the year. And surveys show the effect of a data breach on reputation and consumer confidence, for retailers especially, can be long lasting.
Even more alarming, in the UK, the Brexit vote is causing confusion about what will be required of retailers after the EU’s General Data Protection Regulation (GDPR) takes effect.
Beyond concerns of compliance, security threats have evolved into organised and professional operations. No longer is it the lone hacker in the basement breaking into companies to impress friends. Today’s online attackers are far more likely to use highly skilled and low-wage labor in places like Estonia and the Ukraine – or China, where millions of Chinese go-getters can take courses in hacking – a totally legal area of study in that country.
So-called zero-day attacks, which exploit a vulnerability yet unknown to a vendor, have become exponentially more dangerous since the information is widely passed around by hackers to coordinate attacks. And this is just one type of threat. (This blog post gives an extensive and scary rundown of the many ways retailers can be infiltrated.)
Security by design
The growing sophistication and “industrialisation” of hacking in retail requires a new approach. Companies should opt for what I call “security by design,” something built into every point of the IT infrastructure, rather than something “bolted-on” at the very end.
The analogy I like to use is that of building a house, office or even a shop. If you don’t consider how best to heat and cool your building in the initial design, nothing you do at the 11th hour will make much difference. You will be cold in the winter and hot in the summer. But if you plan from the start by including strong walls, thick insulation and an efficient HVAC system, it will cost less and be more efficient.
In the same way, security should be part of all business and IT decisions. In retail, that means conducting a threat assessment, limiting points of attack throughout the organisation, improving protection controls, investing in threat detection and preparing teams to respond quickly to incidents. It means educating employees and third-party vendors about safe data management and giving them the most up-to-date tools to prevent fraud.
It’s a big job, but one that can be accomplished with the help of an expert partner. And here’s some encouraging news – the total cost of ownership for security programs actually goes down when implemented as a “security by design” up front approach.
A competitive advantage
With built-in protection, businesses can start off in a stronger position to implement ongoing security enhancements while maintaining defenses against ever-changing threats.
There may be no such thing as foolproof protection. But the goal, at minimum, is to present a less-attractive target. With the right approach and the right technology, retailers can reduce their attack surface and prevent breach events.
In dangerous times, that’s an increasingly important competitive advantage.
Simon Moore leads Cyber for CSC UK and Netherlands. He helps clients embrace a Secure Digital Transformation.