The Need to Reevaluate Network Security
The year 2014 was a data security wake up call for most retailers, especially in the fourth quarter—just as the Christmas season was upon us—when more than half of the reported data breaches were perpetrated upon retailers, according to information security company SafeNet.
The range of victims was widespread, including small retailers, big box stores and even well known, high-end retailers weren’t safe from the threat of malicious hackers. Michaels Stores, Neiman Marcus, and Sally Beauty Supply all reported data breaches through in-store credit card payment systems, which resulted in the loss of customer information, and thus customer confidence in an industry that is already struggling to compete with a booming ecommerce market.
The worst breach of all though, possibly the largest breach in retail history, happened at Target, where a data breach allowed hackers access to 40 million customer debit and credit cards and the personal information of 70 million customers, including names, addresses, phone numbers and e-mail addresses.
According to the 2014 Cost of Data Breach Study: Global Analysis by Ponemon Institute, the average cost of a data breach to a company was $3.5 million. And although Target has not issued an exact cost of its data breach, industry estimates place the total at between $1 billion and $2 billion.
This rash of costly data breaches comes at a time when brick and mortar retailers are struggling to drive growth and already managing tight budgets. Before now very little of a retailer’s budget had been spent on security. According to technology advisory firm IDC Retail Insights, “U.S. stores spend only roughly 2 percent of their tech budgets on security, with the bulk going to improving their e-commerce,” but the analyst firm expects U.S. retailer spending for security in 2014 to be “$720.3 million, an increase of 5.7 percent from last year.”
TARGET HACKERS BROKE IN VIA A TARGET VENDOR
One way retailers have sought to save money is by tackling a major cost source—their HVAC systems. According to new HVAC benchmarking research from PRSM, “43 percent of retailers spend most of their maintenance expense budget on HVAC and it accounts for 34 percent of their total facility budget on average.”
Maintenance costs aside, HVAC energy costs are a significant budget drain, something that often goes overlooked by facility managers who are either not kept in the loop on energy bills or do not have the time or know-how to spot HVAC inefficiency issues. It gets worse. Remember that “little” data breach Target had? Turns out, the hacker gained access to the network through credentials used by the retailer’s HVAC vendor.
That’s right: the hacker gained access to 110 million customers, which all started with an email phishing attack on the HVAC vendor’s employees. Once the hacker accessed the contractor’s network credentials, the hacker was able to access the contractor portal.
The hacker likely launched the attack by infecting the retailers’ Windows file service and its POS systems with malware. That malware sent credit card information to an internal server to avoid detection while sending a ping to the perpetrators who were able to use file transfer protocol (FTP) to extract the data at a later time. This went on for two weeks, unnoticed by any of the antivirus solutions in place.
The Target breach began through social engineering, which is when criminals rely on human psychology to gain access. In this case, they sent a phishing email to the HVAC contractor’s employees, some of whom trusted that the email was from an official source and provide login details for the system. In other data security breaches, a social engineering exploit might include simply calling an employee and asking for access, hoping they’ll provide password information without asking any questions.
RETAILERS NEED TO BETTER PROTECT THEMSELVES
When it comes to credit card data security, most retailers think compliance with the payment card industry data security standard (PCI DSS) means the information is secure, but it’s not enough. Hackers are becoming increasingly sophisticated and retailers need to be proactive in their security efforts. So, what can retailers do to protect themselves?
Reconsider what goes on the network: Credit card and financial data are the target of hackers and so guarding the access to this data must be job number one. The first step is to evaluate all network-connected systems. Are they essential? Some systems are essential to the operation, but don’t necessarily need to be connected to the network. Let’s take energy management systems (EMS), since that is where the issue started with Target.
EMS systems rely on measuring energy and accessing sensors to detect system status, but have very little to do with point of sale (POS) and other retail systems. Thus, they can provide full functionality without being a part of a retailer’s POS network. In the past, sharing the already installed network cabling and switching/ routing gear was an easy way to install the systems, but with today’s wireless technology, a separate EMS-only network can be established at a comparable cost.
This is due to breakthroughs in wireless machine-to-machine (M2M) communication using either WiFi or proprietary wireless networks for communications between the sensors and the controller. The controller can then use a 2G cellular connection to the internet for communication with the cloud-based information portal. Retailers need to invest in EMS and other network systems, but they can introduce a security issue if they are added to the POS network. Keeping them off of the corporate network eliminates that risk.
Train employees to identify and not respond to phishing requests: Because many breaches start out as a simple social engineering crimes committed to get network login credentials, it is important that retailers train their employees, and outside contractors, to identify these threats and respond (or not) appropriately.
EDUCATION AND TRAINING
Employees must know what constitutes a phishing request. They need to look for emails from companies that they don’t know, or suspicious file types (.zip, .exe, etc.) as attachments. Does the email look like a formal request from a company or government and then have typos? When hovering a cursor over links and email addresses in an email, the real email address/internet URL will be shown and should match with the displayed addresses.
Phishers are clever, but there are tell tales that the employee can be trained in that will help to identify a phishing attempt. If they detect anything like that, then they need to delete the email.
Be aware of threats by sharing information with other retailers. Cyber thieves share information so why not retailers? The Retail Industry Leaders Association (RILA) recently launched the Retail Cyber Intelligence Sharing Center (R-CISC), where retailers can share cyber threat information and gain access to training and education resources. Additionally, the National Retail Federation has begun its own intelligencesharing mechanism with a promise that it will not overlap with the RILA operation.
The details of both programs are emerging, but the benefits can be extensive and immediate. Hacker attacks happen in clusters, and having an alert when another retailer is being compromised can help other retailers to make immediate changes to eliminate security holes.
SECURE THE NETWORK
Secure the network—the whole network. There are many technologies that are standard operating procedure for retailers to use to secure their networks. These include anti-virus/endpoint protection, firewalls, automated software patching, intrusion detection/prevention, network monitoring and more. In fact, the technology in this space is constantly evolving and improving. However, if there are any contractors that need access to the network, then it’s essential that some basic level of security systems be part of their network as well. This should be insisted upon in the contract and audited on a regular basis.
Prepare an incident response plan. Even though retailers can do their very best to prepare and defend their networks from attacks, the fact is, there will always be
some new threat that emerges that a firewall might miss.
Because of this, it’s important that all retailers have incident response tactics in place so that threats and incidents can be remediated as quickly as possible, with the least amount of damage. From a technology perspective, this involves digital forensics capabilities that can search the network looking for software signatures or for deviations from a company’s “white list” of acceptable programs. There are forensic technologies that retailers can buy and put on their network, or this capability can be provided by an outside service provider. Outside of technology, this IR plan should also include customer and public communications components and any kind of mandated response to the government.
After a rough 2013 of data breaches, 2014 is the year for retailers to take a closer look at data security to ensure that their network is secure from targeted attacks. In an era when most transactions are conducted by debit or credit cards, protecting this data is as important to maintaining customer loyalty as is quality merchandise and attractive presentation.
By minimizing network-attached systems, educating employees, sharing challenges with peers, securing the network and being ready to respond to an incident, retailers will be armed with the tools needed to combat emerging and persistent threats in 2014 in the coming year.
James Walton is Vice President of Business Development at EnTouch Controls, a leading provider of cloud-based energy management systems (EMS). Walton establishes new business ventures for EnTouch Controls, expanding its market and channel segments and generating results for customers. For more information about the firm, please visit www.entouchcontrols.com.
This article originally appeared in Professional Retail Store Maintenance magazine.
Check out our Energy Management Services For Restaurants page.
Check out our Energy Management Services For Retail page.
Sign up for our newsletter!