What a Retail CIO Needs to Know About Security

When news of the Heartbleed computer virus hit last month, there was a collective sigh that went up across the retail industry. As if the major security breaches of the last holiday shopping season weren't bad enough, now we're facing the prospect that a pernicious bug has been targeting the widely used OpenSSL encryption program over the past two years. You read that correctly: the virus is apparently attacking an encryption program, the one thing in an internet security arsenal that was supposed to help retailers sleep at night.

At no point in the last several decades has a company's chief information officer been more important to the overall organization. That's because if CIOs can effectively manage their customers’ privacy, they'll be able to enhance loyalty, drive sales and improve a company's stock price in the midst of this challenging new environment. The recent hacking of millions of credit cards and other confidential customer information at major retail chains has put information security on the front page. A proactive, savvy CIO can put his company's safeguards on the front page as well.

In the old days, things worked more clearly: A retail CIO linked the tills to the embedded finance system and to some credit card companies. Everything was nice and secure. Today, however, the dynamics are different — even not considering what happens when a major breach occurs. Since traditional retailers are now online commercial enterprises in their own right, they need to open their supply chains to every party that helps them get merchandise to the digital consumer. Add to these developments other trends that could make enterprises more vulnerable — "Bring Your Own Device" to work and the storage of vast amounts of data on a cloud ecosystem.

So what are CIOs to do in this challenging new atmosphere? CIOs need a multipronged strategy that starts at the very top of the organization — the CEO and the board of directors. Many retailers have embraced newer technologies very rapidly in the last 24 months. In some cases, they haven't made sure that their company's security policies and procedures have caught up with these technological advancements. It's important that they overhaul everything in a holistic manner focusing on three elements: process, technology and partnerships.

On the process side, the CIO's colleague, the chief security officer, needs to make certain that everything adheres to a single standard. Start with policies on how employees access information and share hardware across departments. Many problems have their roots in faulty policies and not in the technologies used for information protection. In fact, a recent survey revealed that 21 percent of data security incidents were because of the physical loss of items like PCs, hard drives and laptops. Another 29 percent of security issues originate in social media forums. So half the instances are not the result of technology issues.

Business teams must take responsibility for classifying company and customer data in different tiers. The attack surface is expanding rapidly as an ever-increasing volume of data flows through multiple channels. To be sure, safeguarding all data at an equally high level can prove to be an unwise strategy. Would you ever consider the same level of protection for ALL your personal assets? For instance, would you keep a $1,000 electronic gadget and $10,000 of your fine jewelry in a bank's safety deposit box? Probably not.

Along those lines, it's critical that you identify the crown jewels of your organization's data and secure these with differentiated security guidelines. Therefore, even in the unfortunate event that a breach takes place, your most precious data is the last and toughest to access. The time it would take the intruders to get anywhere near it will be enough to detect the breach and safeguard the critical data.

Technology is also vital to the CIO's strategy. The arsenal of technology safeguards within the CIO's office is formidable — secure browsers, application firewalls, secure remote access, web content filters, desktop encryption, identity management, network access control, malware protection and the list goes on. Security, however, can't be viewed merely as a series of threats to be overcome. Building a fortress around your data is only half the battle.

Add into this mix the fact that retailers are beginning to source technology through the cloud. Very little of what was once securely in-house remains there. When something such as an internet virus attacks servers around the world — servers that are invariably linked because of this new paradigm of web retail — the effects can snowball very rapidly. I heard someone ask a technology expert how he rated Heartbleed on a scale of one to 10, with 10 being the metaphysical worst. His response, which he didn't flinch in delivering, was an 11!

Sure, things are moving at a rapid pace, but that's no reason to stick your head in the sand and hope you can avoid these new realities altogether. Technology gives criminals the opportunity to steal from stores, but it also gives those retailers the tools to stop them. Target, for example, just announced (among other company developments) that it would be moving its debit and credit cards to a European-style "chip and PIN" system. I think it's brilliant that Target is using its holiday security breach as an opportunity to overhaul its data security system. The retailer could have instead chosen to point fingers and complain about the cost of moving to a more advanced system.

The delay game simply costs more in the long run. Retailers detected an average of 30 percent more security breaches year-over-year, a sign that threats are only increasing. Plus, the financial losses associated with those breaches have risen 46 percent, largely because the crimes are becoming more sophisticated. Dealing with cyber crime isn't just an IT issue anymore; it's a company issue.

Big players like Yahoo, Amazon.com and Google, the last of which discovered the virus, have the in-house resources to fix the affected web servers and go on with their business lives. But the threat of Heartbleed and other internet security issues really strikes at the core retail business that doesn't have scores of programmers to dispatch and address the problems at hand. Nor do retail CIOs have the kind of resources that technology companies have at their disposal. So it's time that CIOs make certain they have ways and required partnerships (the third part of the security formula) to address their organization's vulnerabilities.

Ah yes, the vulnerabilities. It's true that no CIO should operate under the assumption that their organization will never be hacked. An enterprise should view security incidents as critical business risks that may not always be preventable but can be managed at acceptable levels. The organization that's prepared and knows how to respond quickly and effectively to such intrusions will minimize the damage from the event and sustain its business along with customer loyalty.

Gone are the days when a CIO could set up a system and assume that their work was done. I like to think of a store's digital security in terms of how you would want to guard your loved ones at home. So you have a good, strong door at the entrance of your house. You buy a very good lock for it. Surely a robber will think twice about trying to break in when you're not at home. But what about the door to the patio? It's an older door without a decent lock. You might not think of it as a way for a robber to get in, but surely he does because of its inconspicuous nature. Try shoring up that door as well.

Now that your entrances have the best of locks, is your job done? Far from it. You need to actively monitor those entrances. Suppose you subscribe to a home security service like ADT. If so, even if a breach occurs, an alarm goes off and the police are called to investigate the scene. But there's one other step: you buy insurance to protect yourself in the event of loss.

My point is that you've thought of everything that might go wrong regarding a security breach. Why shouldn't a CIO be thinking along the same lines when it comes to a company's consumer data? Too many enterprises think security is a one-time thing. Rather, it needs to be a system and framework that's ongoing. As retailers, why don't you collaborate? You're all in this together — another reason why partnerships are so important. Suppose one retailer issues an "amber alert" when it got wind that hackers were trying to infiltrate its data system. All other retailers would be especially vigilant.

In the case of Target, what it found was that before the breach occurred, there was an increase in transactions in the credit card black market. Was anyone associated with that company raising a red flag and asking how heightened activity in the credit card black market could affect Target's operations? What if someone even asked the simple question: How would we react in case of a breach? There should have been people urging the company to protect itself from huge liabilities.

Retail is one of the fastest growing e-commerce industries. It's partly because of the number of parties involved. Consider how you bank online. You can make a lot of transactions, but it's still just between you and your financial services institution. With retail commerce, however, two parties are exchanging things. With eBay, for example, you're exposing a lot of details to many parties. What makes it extremely important for retail to have good security in place is those potential multiple points of failure in the industry.

One piece of the pie, of course, is the customer's financial information. As a consumer, I can go to a website or swipe my credit card at a point-of-sale terminal inside your shop. Even within a grocery store you have self-checkout. You swipe the card by yourself. Target had many vulnerable POS systems, but that's just the tip of the iceberg. The number of transactions in the retail industry is extremely high compared to other sectors.

Which brings us back to Heartbleed. Retailers need to make sure they've secured all the areas that hackers could potentially infiltrate. The best stores want to dazzle their customers with mobile devices, beautifully designed websites, and tablets on the showroom floor, but oftentimes they've lost track of what the liability really is. Imagine building a fancy 10,000 square-foot mansion with 20 exit points, but with the security system from your old 2,000 square-foot house. True, OpenSSL is still the most advanced protocol, but where was the vigilance? The constant monitoring?

I often wonder how many CIOs stage their own versions of monthly fire drills. If an organization is forced to come up with a way to deal with an unforeseen disaster or crisis, it brings many best practices to the forefront. For example, what are the first three things you would do as CIO if your store were hacked? You should be able to tell me without flinching or having to spend time thinking about possible answers.

There's nothing but seasoned professionals coming together to hack retailers out of their data and money. There's no reason that retailers shouldn't be any less professional.

Adhikesaven Sivathanupillai is senior manager, client services, retail business unit, at Infosys, a provider of business consulting, technology, engineering and outsourcing services.