Last week Talk Talk chief executive Dido Harding found herself making an announcement no boss ever wants to make: online hackers had accessed sensitive customer information.
Retailers know all too well they are sitting on a wealth of valuable data. Certain types of information are worth real cash to hackers who can access their databases and sell on customers’ details. Ranging from simple names and email addresses right up to sensitive financial information and login details, the price goes up accordingly.
Data hacks are also affecting retailers. Dixons Carphone has been victim of a high profile hack, while Target in the US has also been hit by hackers to name just two.
So what does the Talk Talk experience tell us about modern cyber security and, more importantly, modern hacking? And what are the warning signs retailers need to be aware of?
So soon after the Talk Talk hack, the picture is a little hazy. If it turns out to be an SQL injection hack – whereby a hacker or group of hackers gains access to a database that should be impregnable – then there are some serious questions for the company to face. One of these is around encryption, which doesn’t prevent the more ingenious hackers getting into a database but does prevent data being readable.
Mark Lewis, chief technology officer at ecommerce consultancy Practicology, says encryption should be a basic step for any retail business, large or small.
He says: “Any business that is not encrypting its customer data should be asking itself ‘why not?’. However secure you can make your environment, one shouldn’t assume that no hacker will ever find a back door, and encryption provides that extra layer of security if they do.”
Kevin Foster, testing services manager at MTI Technology, says that, as a rule, retailers need to start “years in advance” when building a totally secure site and bear some key lessons in mind.
One of the most important steps, he says, is to focus on weak spots in your site where known threats have been able to penetrate. He says: “Make sure your web server is secure and fully patched up; make sure web apps such as your login portal have been developed with secure coding principles in mind and without known flaws being present.”
As well as these potential entry points, there are things a retailer can do, says Foster, to “secure the perimeters” of their databases. “They can put in web app firewalls to block access and data leakage prevention (DLP) methods to prevent information coming out,” he says.
Another crucial factor, especially in ecommerce, is the close guarding of credit card and other financial data. Naturally this is well regulated and retailers must abide by certain international standards, namely the Payment Card Industry Data Security Standard (PCI DSS), overseen by the PCI Security Standards Council. Retailers should also ensure that they’re holding their own developers and third parties to these same standards.
For retailers concerned about their own security, there are a number of pieces of guidance from a range of government bodies and agencies. The police force has issued its own guidelines and legislation in the form of the Data Protection Act comes under the purview of the Information Commissioner’s Office (ICO).
The retailer’s staff, in particular administrators, should be educated not to browse the internet while logged in as administrator. Its PCs should be patched up-to-date, hardened and with current antivirus and antimalware software installed; its staff should receive security awareness education, because compromise of the database administrator’s computer could lead to compromise of the retailer’s database.
Foster says: “User education is a lifetime struggle for businesses – sometimes they are the biggest threat. But there are things retailers can do to educate people, such as encouraging them to update their security software regularly, and not browse the web through an account with administrative controls.”
There are sites – such as the Cyber Streetwise initiative led jointly by the Home Office, the Department for Business Innovation & Skill (BIS) and the Cabinet Office – which retailers can link to as a reference for their own customers.
It’s extremely unllikely the threat of cyber crime will ever disappear, but it’s up to retailers to try and keep apace with the evolutions in security and protection to ensure they do not become the next victim, putting the trust in their brand at stake, not to mention their customers’ precious data.