Cyber-crime is big news at the moment - barely a day goes by without news of another huge security breach - and the Target hack in December was one of the biggest.
Target’s recent hack has been a PR disaster for the US retailer - with 40 million credit card details stolen, customer confidence in the retailer is rock bottom.
Cyber-crime is a term that already sounds like an outdated remnant from the 1990s, but at the same time it is one of the biggest threats retailers face today. Not only this, but it’s one that is constantly morphing and evolving.
“It’s an on-going tale, one that is constantly moving,” says Andrew Rose, principal analyst for security and risk at Forrester Research. “But from the outside it looks like nothing much has changed.” This makes it hard to convince chief executives of the need for more budget, he says, and to ensure the business is as alert as it needs to be.
Cyber-crime has changed over the past couple of years – there are now more opportunities for criminals to target retailers, and their methods have become more sophisticated. Graham Cluley, an independent security analyst, says: “Cyber-crime has grown up and become a thriving industry. One of the consequences of this is that the people who hack you won’t use the data – they will sell it on. This is an industry at work here, you need to be organised to protect yourself against it.”
There are several steps retailers can take to improve their data security.
1) PCI compliance is not enough.
Cluley says: “The PCI standard for the payment card industry involves how retailers store information, and how they encrypt it on their servers. But that is a minimum benchmark. When you are dealing with millions of transactions every day you need to go further.” Rose adds: “Compliance is the starting point, not the end goal.”
2) Protect every step.
In Target’s case, Cluley says, the hackers managed to scrape credit card numbers from the computer’s memory, where data is stored for a few seconds before being moved to a retailer’s encrypted servers. Cluley advises protecting every stage of the process, rather than just the server.
3) Check hardware.
Cluley says: “If you’re buying retail hardware off the shelf, you don’t know if it’s been tampered with. Hackers in the past have managed to infiltrate hardware.” He says weighing specialist IT equipment can give an idea of whether sometime has been added to it, but it’s a difficult thing to do. Retailers should also constantly check if the hard disc of a system has been altered.”
4) Monitor data movement.
Cluley advises using software that monitors the movement of data across the organisation, meaning anything unusual can be picked up.
5) Discuss the issue with other retailers.
Meeting with others in the same boat and discussing best practice informally can help retailers work out best practice.
6) Keep updating your strategy.
Rose says the threats to retailers are always changing, meaning security teams need to constantly update their response.
7) Accept 100% safety is unachievable.
Rose says: “When you look at what Target do generally they are pretty good. The size and scale of the organisation means security becomes difficult to maintain. There will always be a risk window and it gets tougher as the company gets bigger.”
8) Don’t trust anything.
Rose says systems and servers should be built to check everything they come into contact with. “Your server should not trust anything around it. Every communication it receives it should verify.”
9) Use white listing.
White listing is the process of identifying the programmes that are allowed to run on the point of sale system, for instance, and not allowing any other software to run on it. Rose says this can help prevent malware being placed on a system.
10) Use honey pots.
Rose says the use of honey pots can help retailers identify suspicious activity. It would involve setting up a database called ‘customer credit card data’, for instance, that would hold nothing but bogus data. Anyone trying to access that database is an immediate red flag for the security team, because no one in the business would have any reason to use it.
11) Check everything more often.
“It’s a bit old hat, but it doesn’t happen as much as it should,” Rose says. “Check everything regularly to make sure it is still in the same state as you designed it to be.”
No comments yet