How to Protect Your Business From a Data Breach

As a result of the recent spate of high-profile data breaches at retailers such as Target, Neiman Marcus and others, compromising credit and debit card and other personally identifiable information for hundreds of millions of consumers in the process, data security has become priority No. 1 for many retailers in 2014. And for good reason: The consequences of suffering a data breach are numerous, and none of them are positive — consumer mistrust, a drop in traffic and a decrease in sales, to name just a few.

In an interview with Retail Online Integration in advance of next week's webinar, How to Prevent a Massive Data Breach Disaster, Chris Strand, PCIP, security compliance practice director for Bit9, a provider of software and network security services, offered his thoughts on the value of data protection in the wake of recent breaches that have left many consumers on edge. (To hear more on this timely and extremely relevant topic, register for the webinar here.)

Retail Online Integration: What's the business impact of a massive data breach such as the one at Target?
Chris Strand: It can be disastrous to any organization on a number of different levels. First, there's the immediate brand damage. The loss of critical information that was entrusted to the brand could seriously damage the relationship with the customer, resulting in loss of business as well as damage to a company's industry reputation. On top of that, when a company loses customer information, it not only has to answer to customers, but in many cases it must pay the costs of replacing the lost information. This can seriously affect the bottom line and in some cases lead to the total collapse of the business.
Another major business impact of a massive breach is the resulting fines to the company if it was discovered to be out of compliance with any major regulation it's required to adhere to. In the case of retail breaches, there's almost always a loss of credit card data. The card brands (e.g., Visa, MasterCard) would not only require that the company in question pay for the card replacement cost, but will also fine the company if it's found to be noncompliant with PCI DSS (Payment Card Industry Data Security Standard).

ROI: What's the first step retailers can take to protect themselves from such a breach?
CS: Take steps to move their security measures from a negative to a positive. More simply put, they need to get into a proactive state when it comes to the security of their systems and gain the visibility to see if all their in-scope systems (point of sale, terminals, ATMs, back-office servers, workstations, etc.) are within an acceptable configuration, not drifting into a risky state. Having full, real-time visibility throughout their systems will ensure they're compliant with IT and regulatory policy.
Many regulations and best practices around retail (e.g., PCI DSS Version 3.0) call for merchants to move to a proactive security monitoring state, where they can ensure that the security controls they put in place are affective at protecting their systems. The key is to entertain security solutions that let you take control of your systems and actively enforce the security policy, focusing on the business process defined into a trust policy or known good.

ROI: What departments of a retail organization need to be involved in the planning process to prevent future data breaches?
CS: On the surface, both security teams and compliance teams need to be in lockstep. This would include the POS security team, the IT security team, the compliance team, (which could included the QSA or ISA) and, of course, CISO or CSO, to ensure that IT decisions and directives are disseminated all the way up to the board. Also, all stakeholders within the IT security policy as well as the compliance policy must understand their respective obligations to ensure that retail systems are kept secure. It's imperative that all the players who have a responsibility to the IT security policy have complete awareness of their parts.

ROI: What are some technologies/solutions that can aid in the prevention process?
CS: First of, the market needs to shift from negative security technologies to a positive, proactive security methodology. Technologies that can enforce policy are mandatory to aid the prevention process. Security solutions that contain the data necessary to prove that a policy has been disseminated and consumed are paramount to the success of any prevention program. Technologies that focus on the business process and help organizations concentrate on their critical functions are important.
Companies need a clear picture of what's running within their infrastructure. You don't know what you don't know, and reactive or passive scanning of systems isn't going to cut it with today's cybersecurity threats. Systems need to provide real-time visibility into and focus on a trust policy that can ensure active monitoring of the critical processes of key importance, which will lower the administrative effort around collecting information on the risk of the systems.
Lastly, technologies that enable control across system boundaries that can understand and avoid unauthorized change to systems will help prevent compromise. The first step in stopping something that could cause harm is to understand what your systems should be doing in the first place. If something weren't part of your "known good," than it would be an unauthorized process for change and therefore wouldn't be allowed to cause change regardless of what it is.