What a Retail CIO Needs to Know About Security

Sure, things are moving at a rapid pace, but that's no reason to stick your head in the sand and hope you can avoid these new realities altogether. Technology gives criminals the opportunity to steal from stores, but it also gives those retailers the tools to stop them. Target, for example, just announced (among other company developments) that it would be moving its debit and credit cards to a European-style "chip and PIN" system. I think it's brilliant that Target is using its holiday security breach as an opportunity to overhaul its data security system. The retailer could have instead chosen to point fingers and complain about the cost of moving to a more advanced system.

The delay game simply costs more in the long run. Retailers detected an average of 30 percent more security breaches year-over-year, a sign that threats are only increasing. Plus, the financial losses associated with those breaches have risen 46 percent, largely because the crimes are becoming more sophisticated. Dealing with cyber crime isn't just an IT issue anymore; it's a company issue.

Big players like Yahoo, Amazon.com and Google, the last of which discovered the virus, have the in-house resources to fix the affected web servers and go on with their business lives. But the threat of Heartbleed and other internet security issues really strikes at the core retail business that doesn't have scores of programmers to dispatch and address the problems at hand. Nor do retail CIOs have the kind of resources that technology companies have at their disposal. So it's time that CIOs make certain they have ways and required partnerships (the third part of the security formula) to address their organization's vulnerabilities.

Ah yes, the vulnerabilities. It's true that no CIO should operate under the assumption that their organization will never be hacked. An enterprise should view security incidents as critical business risks that may not always be preventable but can be managed at acceptable levels. The organization that's prepared and knows how to respond quickly and effectively to such intrusions will minimize the damage from the event and sustain its business along with customer loyalty.

Gone are the days when a CIO could set up a system and assume that their work was done. I like to think of a store's digital security in terms of how you would want to guard your loved ones at home. So you have a good, strong door at the entrance of your house. You buy a very good lock for it. Surely a robber will think twice about trying to break in when you're not at home. But what about the door to the patio? It's an older door without a decent lock. You might not think of it as a way for a robber to get in, but surely he does because of its inconspicuous nature. Try shoring up that door as well.

Now that your entrances have the best of locks, is your job done? Far from it. You need to actively monitor those entrances. Suppose you subscribe to a home security service like ADT. If so, even if a breach occurs, an alarm goes off and the police are called to investigate the scene. But there's one other step: you buy insurance to protect yourself in the event of loss.

My point is that you've thought of everything that might go wrong regarding a security breach. Why shouldn't a CIO be thinking along the same lines when it comes to a company's consumer data? Too many enterprises think security is a one-time thing. Rather, it needs to be a system and framework that's ongoing. As retailers, why don't you collaborate? You're all in this together — another reason why partnerships are so important. Suppose one retailer issues an "amber alert" when it got wind that hackers were trying to infiltrate its data system. All other retailers would be especially vigilant.

In the case of Target, what it found was that before the breach occurred, there was an increase in transactions in the credit card black market. Was anyone associated with that company raising a red flag and asking how heightened activity in the credit card black market could affect Target's operations? What if someone even asked the simple question: How would we react in case of a breach? There should have been people urging the company to protect itself from huge liabilities.

Retail is one of the fastest growing e-commerce industries. It's partly because of the number of parties involved. Consider how you bank online. You can make a lot of transactions, but it's still just between you and your financial services institution. With retail commerce, however, two parties are exchanging things. With eBay, for example, you're exposing a lot of details to many parties. What makes it extremely important for retail to have good security in place is those potential multiple points of failure in the industry.

One piece of the pie, of course, is the customer's financial information. As a consumer, I can go to a website or swipe my credit card at a point-of-sale terminal inside your shop. Even within a grocery store you have self-checkout. You swipe the card by yourself. Target had many vulnerable POS systems, but that's just the tip of the iceberg. The number of transactions in the retail industry is extremely high compared to other sectors.

Which brings us back to Heartbleed. Retailers need to make sure they've secured all the areas that hackers could potentially infiltrate. The best stores want to dazzle their customers with mobile devices, beautifully designed websites, and tablets on the showroom floor, but oftentimes they've lost track of what the liability really is. Imagine building a fancy 10,000 square-foot mansion with 20 exit points, but with the security system from your old 2,000 square-foot house. True, OpenSSL is still the most advanced protocol, but where was the vigilance? The constant monitoring?

I often wonder how many CIOs stage their own versions of monthly fire drills. If an organization is forced to come up with a way to deal with an unforeseen disaster or crisis, it brings many best practices to the forefront. For example, what are the first three things you would do as CIO if your store were hacked? You should be able to tell me without flinching or having to spend time thinking about possible answers.

There's nothing but seasoned professionals coming together to hack retailers out of their data and money. There's no reason that retailers shouldn't be any less professional.

Adhikesaven Sivathanupillai is senior manager, client services, retail business unit, at Infosys, a provider of business consulting, technology, engineering and outsourcing services.