Over the past few years, the retail and consumer industry has been hit hard by data breaches that compromise their customers’ and employee’s confidential information, like financial and health data. For instance, we all remember the Home Depot data breach of 2014 that left the payment cards of over 50 million customers in compromise. Although some major retailers like Target and Lowe’s felt the full disastrous effects of major data breaches, these large scale events have sparked a movement across the retail industry – for the better.
Since those major breaches, companies in the retail industry have taken note by making considerable strides in terms of improving their overall security plans, according to The Global State of Information Security Survey of 2016. In other words, retail companies are making an effort to put an end to the data breaches that have plagued their industry. However, despite the effort of these companies, data breaches in this field are continuing to rise. In fact, according to PwC, the number of detected security incidents in 2015 climbed 154% from 2014.
So, despite the progress, there’s still more for retail and consumer companies to know when it comes to cybersecurity. Here’s where we come in: often times, retail companies lack the expertise and resources necessary to perform comprehensive security evaluations, and this leads to weaknesses in their security plans. It’s important for companies to know all of the cybersecurity risks they face.
Here are 4 steps for companies to take in order to avoid data breaches in the retail industry:
1. Invest more into your company’s cybersecurity efforts.
Many companies in the retail industry have realized that it is critical to protect their data from compromise. This has led to a 67% increase in cybersecurity spending in the retail industry from 2014 to 2015, according to PwC. In correlation with the spending increase, cybersecurity efforts have increased on the part of companies in the retail industry. For instance, companies are now implementing standards and guidelines when it comes to securing payment methods (covered below) and regulating third-party providers.
2. Only use secure payment channels.
Since customer payment information is often the most targeted information when it comes to data breaches in the retail industry, retail companies are beginning to practice more secure methods of payment. Following Europe’s example, many businesses in the United States are beginning to accept EMV chip cards, or payment cards that store sensitive data in a small computer chip, which prevents fraud and stolen information.
There are more new secure payment methods in addition to the chip. According to PwC, retail companies are testing point-to-point encryption, next-generation firewalls, and tokenization.
3. Implement a security plan for your third-party providers.
Third-party providers are a leading cause of data breaches in many different industries, which is why proper vendor management is a must. At a minimum, vendors should be assessed on an annual basis to determine security posture.
Often times, companies in the retail industry lack the time, staff, and expertise needed in order to conduct thorough vendor assessments, much less the following remediation process should errors in security come up. Many data breaches are attributed to third-party partners, so professionals in the cybersecurity field must conduct vendor assessments. NuHarbor’s expert staff performs specialized assessments to evaluate the security of important company data.
One of the ways in which the retail industry has improved their security plans is through establishing guidelines for their third-parties as well as frequently assessing their security posture. Keep up the good work, retailers!
4. Determine your system’s overall security posture with security risk assessments.
According to study by Trend Micro, the leading cause of data breaches in the retail industry are attributed to hacking or malware attacks. These attacks are achieved through a variety of different infiltration methods. NuHarbor Security implements a three step assessment process used to determine the current state of your company’s controls, identify security gaps and assign a relevant risk rating to said gaps, and provide a summary of our findings with tactical and strategic recommendations to remediate security gaps.
If you’re a professional in the retail industry who’s hesitant to move forward with cybersecurity procedures for your company’s security plan, it’s important to remember that while security gaps can be remediated after a data breach, public opinion cannot. Don’t let data breaches attributed to your company’s lack of security posture damage your brand image. Drop us a line so we can get started securing your system.
by Paul Dusini
Information Assurance Manager
Paul Dusini is the Information Assurance Manager for NuHarbor Security. He has more than thirty years of experience helping organizations successfully and safely use information systems to support business goals. He is an experienced CIO and Risk Manager and is certified in security management (CISM) and risk management (CRISC).