Cybersecurity At Retail: Is There Any Way To Stop The Bleeding?

Author:
Publish date:
Video Duration:
1:47

Editor’s Note: Welcome to the next edition of Need to Know, in which TWICE and our parent Future plc explain complex topics and how they apply to each industry we serve, on our websites and in our magazines. Keep coming back for future topics, to include artificial intelligence, virtual reality and more.

See our full Need to Know for more information about cybersecurity. 

N2K-Cybersecurity_full_300_text

Any conversation involving cybersecurity and tech retailing is certain to call to mind one specific dealer. (It does, after all, have that red bull’s eye right on it.)

In 2013, Target was hit with an historic hacking effort in which consumer credit card information was stolen, affecting over 40 million accounts. Although the hacking occurred unbeknownst to the chain for several weeks, the information came to light during the extremely ill-timed crucial holiday selling season and, expectedly, had a significant impact on Target’s Q4 and full-year sales. Net earnings fell 46 percent to $520 million for the quarter; U.S. sales slipped 3.8 percent and domestic comps dropped 2.5 percent. CEO Gregg Steinhafel abruptly stepped down several months later, acknowledging the challenges of the breach in his resignation letter.

The company said in January 2015 it incurred breach-related net cumulative expenses of $162 million, and it was ordered to pay $17 million as part of a class action lawsuit.

We talked with Doug Olenick, current web editor of SC Media, a business publication focused on information security (and former TWICE editor), to learn what consumer tech retailers need to be concerned with when it comes to cybersecurity.

While data breaches are often in the headlines, Olenick said a sophisticated case such as Target’s is still relatively rare. In Target’s case, hackers reportedly gained access to its systems by stealing login credentials from a third-party vendor.

What’s far more common are point-of-sale (POS) attacks, in which a hacker manages to obtain physical access to a system and inserts malware that records a consumer’s data every time a credit card is swiped. Home Depot was hit by a high-profile POS attack in 2014, resulting in over 50 million accounts being compromised.

Beyond serving as a financial and PR nightmare, the issues surrounding retail hacking are compounded by the fact that stores often don’t realize they’ve been attacked until it’s far too late. It’s often not until a business receives a call from a credit card company regarding strange activity that they become aware of an attack, and, what’s worse, hackers will often sit on the data for years, said Olenick.

“Once a breach is noticed, everyone changes their credit card information,” he noted. “[Hackers] want people to become complacent, and at some point they just max out the cards. It could be three years down the road.”

In addition to POS attacks, ransomware is another commonly found attack that seems almost insurmountable to avoid. Ransomware, in which a hacker takes control of a computer system and refuses to return access until receiving payment, can be rented on the dark web for as little as $15, Olenick said. It even, he added, comes with customer service that will walk a thief through how to use it.

Olenick likened cybersecurity protection to that of shoplifting. Although business owners will never be able to fully secure themselves, “The first thing they have to do is like being in a 12-step program: They have to realize there’s a problem.”

With that in mind, doing something is always better than doing nothing. All corporations should have a chief information security officer, he advised. This executive’s sole responsibility should be ensuring the company’s data is locked down, and the position should rank as highly as the chief financial officer.

See our full Need to Know for more information about cybersecurity. 

For smaller dealers in which such a position isn’t practical, shoring up the company’s back end with proper security software is just as important a priority. SMBs have access to the same setups as enterprise-level operations, Olenick noted. And while programs like Salesforce and ADP carry levels of protection, smaller businesses need to be mindful of in-house payroll systems that may not be secure.

Beyond these protections, there are even physical steps that should be taken to combat the “invisible” crime of hacking. Most importantly: Retailers should not leave computers or point-of-sale terminals unattended. Cyber criminals are adept at swooping in at opportune moments to quickly seize data, said Olenick, jamming in a malware-loaded thumb drive to skim credit card data.

And while an endless stream of brand-new customers sounds like every retailers’ dream, business owners still need to be cognizant of the behavior of those who enter their stores. Thieves are adept at quickly stealing customer information that may left out on desks in the form of paper invoices.

Likewise, the simple act of leaving Post-It notes with passwords on a computer monitor is an employee habit that should be avoided yet remains quite common. Olenick cited hospitals as frequent rule breakers; while the computer systems are securely locked down, employees requiring immediate, emergency access often revert to the low-tech storage method.

And while those in life-or-death situations have better excuses than the sales associates slinging TVs and speakers, the truth is that retail is required to prioritize cybersecurity just as much as health care would. 

Need to Know More?

Have a burning question about cybersecurity — or maybe a request for a different topic you’d like to see us tackle? Email us at needtoknow@futurenet.com and we’ll put our top minds on it!

To learn more about cybersecurity's influence on other technology channels, check out these articles from Future sister titles: