Security breaches in the retail sector are becoming more common due to the large payoff to criminals in seizing credit card information. While hardly a month goes by without a media report announcing a retail breach, their average size has changed over the past few years. While 2014 was named the Year of the Retailer Data Breach due to large-scale incidents with industry giants like Target, Neiman Marcus and The Home Depot, 2015 was famous for equally disturbing breaches of smaller companies, whose products and services we use every day (Dungarees, Starbucks, CVS, Toys"R"Us, Wal-Mart Canada and others). This trend of “breachiness” continues in 2016, with the most recent Snapchat, Bailey’s and Seagate security incidents, proving that no company is 100 percent secure against hack attacks.
Most of the retail attacks have nearly the same scenario. Attackers’ ultimate goal is to gain access to sensitive information, both in the corporate network and the point-of-sale systems. This poses a considerable threat for retailers since 74 percent of attacks on retail and food services companies aim to compromise cardholder data. This data is in high demanded on the black market and extremely attractive for hackers. Social Security numbers, bank accounts, billing addresses and wages are tempting targets for hackers. Techniques they use to compromise companies’ data vary from breaking directly into the corporate network, using third-party contractors or launching phishing attacks. As a result, retailers tend to suffer from financial losses, fines for noncompliance, legal issues, reputation damage and diminished customer loyalty.
Numerous Verizon Data Breach Reports prove that one of the main concerns regarding retail breaches is the alarming ease with which hackers get access to confidential data. Although retailers have an obligation to comply with PCI DSS, the 2015 Verizon PCI Compliance Report states that only 20 percent of organizations meet all requirements of the standard. This means that almost 80 percent of retailers leave the door open and put their critical assets at risk. According to the research, not a single company was fully compliant at the time of their breach. Apparently, companies don’t see compliance as a continuous process and treat it as a one-off annual duty, falling off the requirements radar once they're achieved.
Despite the fact that being compliant doesn't necessarily mean being secure, PCI DSS requirements provide high-level strategic recommendations to ensure sensitive data is protected. Therefore, retailers — regardless of size — need to stop thinking of compliance as a temporary concern, and regularly adjust their internal policies to the newest versions of PCI DSS. However, the key to protecting cardholder data is continual improvement of security procedures so they exceed the basic criteria of compliance requirements.
Deep visibility across all levels of your IT environment, continuous monitoring of user activities and granular control into changes made to permissions, system configurations and sensitive information will enable your organization to better understand what's going on in the IT infrastructure and proactively address security risks before they strike.
Unfortunately, we have to admit that even the most advanced security methods don't guarantee full protection. Even tech-savvy companies that spend thousands of dollars on cybersecurity are continuously being compromised. Therefore, more than ever retailers have to be vigilant and take steps to reduce the likelihood of data theft.
Michael Fimin is CEO and co-founder of Netwrix Corporation, an IT auditing company that provides software that maximizes visibility of IT infrastructure changes and data access.
Related story: Data Breaches: Learning From the Business Next Door