Retail Data Security: Preparing for the Top Threat for Holiday Breaches

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago. And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult. For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Establishing Company Gift-Giving Guidelines

With increased regulatory oversight around the globe, companies’ external and internal gift-giving are under scrutiny. With the holiday season upon us, it is up to organizations, no matter what the size, to clearly state policies and leave no question about what is and what is not allowed. Establishing monetary limits for gifts given and received is also a good idea.

According to a report by Thomson Reuters:

While bribery and corruption charges are widespread, it’s important to note that bribery is not synonymous with gift-giving. When it comes to gift-giving, businesses cannot offer, promise or give anything of value, directly or indirectly, to a foreign official for the purpose of obtaining or retaining business. Corporate gifts need to be carefully evaluated to ensure they do not appear to violate these prohibitions.

Internal gifting policies vary from company to company, and while there is no one-size-fits-all approach, it is extremely important that organizations have policies in place and that employees are aware of what those policies are. No matter how well-intentioned a gift, the potential exists that it falls outside of the appropriate boundaries.

holiday-1

Organizations need to be clear about what types of gifts are acceptable and what are not.

holiday-2

Both employers and employees should also be aware of what constitutes a bribe and what types of bribes to watch out for.

holiday-3

Regulatory bodies are holding companies accountable, and depending on the countries involved, regulatory fines can range from prison terms to millions of dollars in fines.

holiday-4

holiday-5

The DOs and DON’Ts of Company Holiday Parties

Holiday parties can be a company’s best day of the year — or its worst. Usually, it falls somewhere in the middle, but all executives and human resources personnel need to make sure to avoid some key risks to ensure their day of merriment doesn’t turn into disaster. The following four guidelines from Jay Starkman of Engage PEO will help.

1. Keep the Festivities Non-Denominational

It is better to have a Holiday Party than a Christmas Party, a Hanukkah party, or a party that recognizes any specific holiday. This way, all employees can feel involved and the Company avoids projecting the image that it prefers one religion over any others.

2. The Trouble With Alcohol 

As we all know, alcohol can lower inhibitions and lead to questionable judgment, which can be an unfortunate combination.

So how should you attempt to manage these inherent risks?

The easiest way to avoid the potential problems that come with alcohol consumption is to have a party where alcohol is not served. This may be an easier decision to justify if the party is held during the day, as opposed to the evening, when drinking is generally more socially acceptable. But if the company does decide to serve alcohol at the holiday party, consider hiring a professional bartender instead of permitting employees to serve themselves. This person can manage the amount of alcohol in each drink and notify a manager if an employee appears to have had too much to drink. Managers should also be alert and aware of any employee who may be overindulging.

Additionally, alcoholic options can be limited to wine and beer, and the company should be sure to provide plenty of nonalcoholic beverage alternatives. Food should be available throughout the party when alcohol is served. You can also consider utilizing a drink ticket system to limit individuals’ consumption.

Most importantly, consider stopping service before the party officially ends. Cutting off the service of alcohol at least one hour before the end of the party may lessen the impact of the alcohol on those who consumed during the party before they depart. It is also a good idea to continue food service during this time period.

3. Prevent Inappropriate Behavior

When workplace and social interactions intersect, there is a possibility that inappropriate behavior may result. It is a good idea to take steps to prevent harassment or similar inappropriate conduct.

One thing to consider is inviting spouses or significant others to the party. Employees may be more likely to be on their best behavior in front of these individuals.

Secondly, no mistletoe! This holiday symbol is an invitation for employees to engage in behavior which is inappropriate for the workplace (and, by extension, the company holiday party).

Be sure to remind all employees that the company’s workplace standards apply at the holiday party – harassment remains strictly prohibited. Make sure that everyone know that, even though the idea is to have a good time, misconduct at or after the party, including harassment, can result in disciplinary action. Also, remind managers that they must enforce Company policies at the party, even if it is held after work and away from the workplace itself. It is also important to remind managers that they must lead my example.

4. Enjoy Your Holiday Party!

This is supposed to be fun. Makes sure everything is on the up and up, but remember the ultimate goal. The team building and camaraderie built while co-workers get to know one another outside of the office can be invaluable to creating a great work environment.

Stay Safe From Turkey Frier Fires

According to State Farm, there are more cooking fires in the United States on Thanksgiving than on any other day. Or, as William Shatner puts it: “Fire, metal, oil and turkey are glorious when in harmony … but their power is unrelenting in careless hands.”

State Farm’s turkey day safety campaign is both entertaining and informative, which should help get the message out. Hopefully it reaches the following, top ten states for fire insurance claims on Thanksgiving over the past five years.

So, listen to the advice of Shatner in the video below. Or be prepared to deal with the fallout of a burst of flames like those in the video below that.