Preparing for a Data Breach This Holiday Season

It hasn’t been a slow year for cyber attackers, and with holiday shopping wrapping up, retailers should pay special attention to their cybersecurity practices.

In a survey conducted in November, cybersecurity company Tripwire found that a large majority of retail organizations aren't fully prepared for data breaches this holiday season. This is especially concerning given the recent flood of major cyber incidents this year.

Only 28 percent of survey participants said they have a fully tested plan in place in the event of a security breach. Twenty-one percent said their organization doesn't have a plan at all, and the same proportion of respondents said they didn't have the means to notify customers of a data breach within 72 hours, a requirement specified by the General Data Protection Regulation (GDPR).

As we’ve seen through the aftermath of major breaches like Equifax and Uber, failure to respond quickly and appropriately will likely land negative headlines, anger customers and possibly lead to hefty fines.

Take GDPR, for example, which applies not only to businesses in the European Union, but to any organization that handles data about EU citizens. Failure to comply with GDPR could be up to 4 percent of the annual turnover of the business.

New legislation is being proposed in the U.S. for even more severe measures. Following the latest Uber breach disclosure, top Democratic senators introduced the Data Security and Breach Notification Act, which would require companies to report data breaches within 30 days. If an individual knowingly conceals a data breach, they could face up to five years in prison.

In Tripwire’s survey, only 23 percent of respondents said they were "fully prepared" to absorb potential financial penalties. And even fewer professionals (15 percent) said they were fully prepared to manage customer and press communications following a data breach.

Not all the survey's findings were discouraging, however. The results did provide some hope that the industry is moving in the right direction. More than half of respondents (57 percent) said that their organization’s ability to detect and respond to a security breach has improved in the past year-and-a-half.

How can retailers build a strong defense to prevent data breaches in the first place?

It’s critical for retailers to have a strong set of foundational security controls in place. This involves being able to see what’s on the network at all times, “hardening” these systems by ensuring they're configured correctly and that vulnerabilities are patched, and continuously monitoring for changes and drift outside established security and compliance parameters.

These steps are the absolute essentials of security, and yet major data breaches happen because of a misconfiguration or failure to patch a known vulnerability.

There are a number of effective and established security control frameworks available to guide organizations in building a strong foundation for themselves, such as the CIS Critical Security Controls. Implementing even the most basic security controls can go a long way in improving an organization’s security posture.

Travis Smith is a principal security researcher at Tripwire, a provider of integrity assurance solutions that drive security, compliance and operational excellence.