The retail industry has been rocked in recent years from security breaches that have seen consumers' personal information (e.g., credit card numbers, Social Security numbers, driver's license numbers) stolen by online hackers. Wal-Mart, Zappos.com, TJX Companies, Michaels, Polo Ralph Lauren and Gap are just some of the companies that have been targeted.
To help brands protect against the chaos that ensues as a result of a data security breach — not to mention the potential lost revenue — Tim Toews, a web security consultant and former chief information officer at Office Depot, offered a 10-step plan to help retailers maintain control of their business space (i.e., their network) and keep hackers out. Toews presented his plan during a session he led this week at the Internet Retailer Conference & Exhibition in Chicago.
"Security is a business leadership problem, not an IT problem," said Toews, adding that senior leadership needs to commit to spending on web security just like it does marketing, merchandising and other revenue-driving channels. Toews cited a recent Gartner study that recommended retailers allocate 5 percent of their IT budget to web security. Here's Toews' 10-step plan to better web security:
- Encrypt data. Any data that would cause your company issues if it were exposed (e.g., credit card numbers) needs to be encrypted, Toews said. Doing so ensures that if a hacker reaches the data it will be of no use to them.
- Segment your network and isolate your data. Network segmentation is a time and monetary investment, Toews said, but it's worth it.
- Monitor security events and keep logs.
- Download anti-virus software everywhere and keep current with patching.
- Create and train to a corporate security policy. This policy should include guidelines on the use of the internet, oversight of the use of thumb drives, what employees should do if they believe they're the target of a phishing attack, Toews said.
- Create a security incident response team and a plan. This team should be comprised of employees from various departments - IT, customer service, marketing, etc.
- Hack yourself. Find a trusted employee that doesn't have password clearance and see if they can access your network. Another test you can do is see how easy it is for someone to walk past your receptionist and out of your office with a laptop or other hardware. Web security is more than just digital in nature.
- Measure security key performance indicators (KPIs) just like you would for website performance. Examples of security KPIs include the number of invalid network log-ons and the rate of unauthorized access to production services.
- Include security benchmarks as a bonus goal for applicable employees.
- Don't boast about security effectiveness. There's no reason to bring unwanted attention to yourself among the hacker community, Toews said.
Retailers need to be persistent when it comes to web security, Toews said. Hackers aren't going away any time soon. Therefore, make security a corporate priority. It should be part of your brand's culture just like driving revenue is.