Preventing the Common Lot of Retail ‘Breachiness’

Hardly a month goes by without a media report of another security breach in the retail industry. Target, eBay, Neiman Marcus, The Home Depot, Jimmy John's, Dairy Queen — the list of large retail and restaurant chains that were exposed to cyberattacks within recent years is unprecedentedly long. A retail data breach isn't only large scale in terms of people affected, but also in breach cost as well. The August 2013 Nilson Report marked an almost sixfold increase in credit card fraud cost since 2000, and that figure is expected to keep growing.

The tendency toward "breachiness" is easily proved by numerous Verizon Data Breach Investigations Reports. Payment card data remains one of the easiest types of data to convert to cash, and thus is the preferred choice of criminals. This poses a clear danger for IT departments, considering 74 percent of attacks on retail, accommodations and food services companies target payment card information. As a result, organizations tend to suffer from monetary losses (e.g., huge unplanned investments into IT security or fines for noncompliance), drops in profit, litigation, reputation damage and diminished customer loyalty.

What primarily raises concerns among authorities, business owners and their customers is the alarming ease with which cyber criminals are able to gain access to sensitive information that's held by retailers. Despite an obligation to comply with PCI DSS, only 11 percent of the companies managed to meet all 12 requirements of the standard, according to the 2014 Verizon PCI Compliance Report. That means that almost 90 percent of companies left the door open and provided opportunities for a data leak.

The main problem revealed itself when Verizon's report found that companies don't see compliance as a continuous process, rather treating it as a one-off annual duty falling off the requirements radar once they're achieved. Despite increased attention toward strengthening overall security, organizations still struggle to streamline compliance. According to the 2015 Verizon PCI Compliance Report, not a single company was fully compliant at the time of their breach. However, meeting compliance requirements doesn't prevent a security breach, but being secured can prevent falling out of compliance.

Simply Be Aware
Security isn't always about investing in the most expensive solutions. Rather, it's about adopting strong security policies and integrating them into day-to-day activities. Consider Target's case. It had a proper compliance validation assessment with PCI Security and spent $1.6 million on a malware detection system, yet overlooked warnings about intrusion. This shows that investing a fortune on sophisticated IT security systems and obtaining compliance certificates doesn't guarantee that all data is heavily protected by default. With the amount of information obtained by organizations constantly changing and growing, a single malicious, unnoticed modification may lead to a data leak. So what can retailers do to prevent data breaches?

The main goal is to stop thinking of compliance as a temporary concern. The requirements weren't created for the sake of passing annual compliance audits, but to give organizations an idea of how to protect cardholder data. "PCI DSS should be seen as a set of minimum standards — a compass, not a road map," states the 2014 Verizon Report. Organizations should focus on the proper performance of their security policy components and their adoption as "business as usual." Streamlining compliance is hard work, but it must be done on a daily basis.

"Today's cybersecurity landscape is changing," said Rodolphe Simonetti, director of compliance and governance professional services for Verizon Enterprise Solutions. "As a result, organizations need to change the way they approach security. Businesses need to adopt a model that we call ‘resilience,’ which means they must accept they can never be fully secure. There's no silver bullet for data protection."

The vital part of being compliant is taking security as a serious challenge and allocating resources for dealing with it. Don't underestimate the amount of work required to achieve PCI compliance; it's a first step for setting overall security as one of the most important business goals today — but it's worth the effort.

Alex Vovk is the president and co-founder of Netwrix, a provider of change and configuration auditing solutions for strengthening security and compliance as well as optimizing operations.