Retail Data Security: Preparing for the Top Threat for Holiday Breaches

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago. And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult. For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Aquisition Integration for Logistics and Cargo Insurance

chess-game
During my 36 years in the marine insurance industry, one of the most common issues has been failure to properly integrate acquisitions into cargo logistics insurance programs—which can result in gaps in cargo insurance coverage. Old habits die hard, however, and this is particularly true in logistics operations.

When an organization acquires a new company, there is a choice. The buyer can allow the acquisition to continue to operate independent of its logistics program (rarely is cargo insurance left independent) or fully integrate them into the buyer’s logistics and cargo insurance programs. The most common occurrence is full integration into the buyer’s logistics and cargo insurance programs for cost savings and continuity.

If the independent logistics option is chosen for the acquisition, it is still critical to perform a detailed gap analysis of the logistics SOPs (Standard Operating Procedures) used by the acquisition to assure their program does not present unique exposures not currently considered or addressed in the buyer’s program. The most objective and effective gap analysis should be performed by an outside consultant working with the buyer’s designated logistics representative.

A risk management representative is not required but may wish to attend. The consultant must have extensive experience in logistics audits as well as a clear understanding of implications of the terms and conditions of the cargo policy. This team will create a gap analysis report that details variances from best practices and the key drivers in the buyer’s logistics program that are critical to the marine cargo insurance program. This also allows the buyer’s cargo program to be adjusted for any unique requirements of coverage by the acquisition to assure there are no coverage gaps.

Importance of SOPs
It is worth a moment to address SOPs for logistics and security for shipping and storing goods in the due course of transit. Formal SOPs are critical to assure compliance, and proper measurement of compliance. SOPs also provide continuity of logistics’ programs so learned processes and shipping lane specific issues are not lost when there is a change in personnel.

In instances when the buyer decides for full integration, the process is much the same as described above for the independence option for logistics by the acquisition. The most important difference is that the gap analysis details the variances between the acquisition and the buyer’s logistics program SOPs and rates the findings into levels of importance for timely adoption; critical, second tier and third tier variances. The critical issues require adoption as soon as possible while the other variances can be corrected over the course of time.

It is important to complete a followup audit(s). If there are critical issues, a followup audit might be completed after the buyer has been advised that the critical variances have been finalized, to independently confirm compliance has been obtained if deemed appropriate. Regardless, a one-year audit is recommended to examine all the variances in the gap analysis to determine the level of compliance to correct all originally identified variances.

Again, old habits and processes die hard. You will often hear, “We always did it this way.” It is important during the gap analysis to integrate local issues required as needed, as long as it does not compromise the goal of the SOP. The integrations, especially acquired foreign companies, can be difficult, involving politics by other units of both companies outside of the logistics, security and risk management units. It is critical that senior management of both the buyer and the acquisition company have “full buy-in” on the integration process to overcome the political infighting that can develop.

The best analogy of this process would be a chess game—complex and variable with many moving, interrelated parts.

Wildfires a Reminder to Update Disaster Preparedness Plans

Raging across the country, threatening businesses and residences alike, wildfires are a reality, burning a reported 1.9 million acres in the U.S. so far this year. West of Santa Barbara, firefighters have battled an intense fire for almost a week. Wildfires are also burning in Arizona and New Mexico. In Canada, the Fort McMurray blaze burned for weeks and scorched some 2,400 square miles of land—more than 1.4 million acres. In five of the past 10 years, in fact, wildfires have ranked among the top 20 worldwide loss events.

Interstate2

Companies that haven’t already done so may want to assess the impact such a disaster could have on their business as well as what actions can be taken to mitigate damage. While most businesses believe they are prepared for a fire, especially if their building is equipped with fire alarms, fire extinguishers, smoke detectors and an evacuation plan, these measures may not be enough when stress and confusion take over, according to Interstate.

Organizations could face utility interruption, impacting gas and phone syDocument recovery3stems; they may have flooding from sprinklers, which, mixed with soot, can cause other complications; there may be smoke damage, which can by carried throughout a building through air conditioning systems; and there can be chemical residue from fire suppression systems.

There also may be asbestos hazards from older building materials, ceiling and floor tiles and pipe insulation.

Planning ahead for data loss resulting from damaged computers and burned paper documents is also advised.

Interstate lists four questions companies need to ask in advance of such a disaster:
Interstate 1

10 Tips for Securing Responsive Cyber Coverage

SAN DIEGO—With hacking incidents becoming all too common, risk managers are under increasing pressure to help protect their companies from the inevitable breach. Insurance is an option but policy forms are still developing. In a session at RIMS 2016, Joshua Gold, a shareholder with Anderson Kill and Debbie Gramer, director of global risk management at Arrow Electronics, Inc., offered the following 10 tips to risk mangers looking to secure the best possible coverage for their organizations.

  1. Be careful with insurance applications. Use precise language to convey your exposures to underwriters. Never answer “yes” or “no” to a question that doesn’t really have a yes or no answer.
  2. Retro dates. Hackers can be in systems for days, months or even years so it is important push retro dates back as far as possible.
  3. Look for clear policy coverage. Forms and terms change over time as the risks shift. Having clear language can remove ambiguity.
  4. Symmetry with other insurance (e.g., CGL, property). Review existing policies to determine where there may or not be coverage gaps.
  5. Get endorsements of special coverage needs. If you have exposures from cloud providers and third-party vendors, for example, you will need to specifically address these. Exclusions matter.
  6. If you accept payment cards, be aware of PCI issues and card brand fines and penalties.
  7. Address sub-limit concerns. Losses can be expensive. Make sure sub-limits are adequate.
  8. Beware of breach of contract exclusions.
  9. Beware of conditions on “reasonable” cybersecurity measures. “Reasonable” is a  subjective term. Specifically define security measures to remove any grey areas that could lead to a coverage dispute.
  10. Business interruption and reputational damage insurance may be vague but they are becoming more relevant. Business disruption is quickly becoming the most important operational consequence of a hacking incident. Make sure you are protected.