Retailers around the world are reeling from an avalanche of data thefts this year, leaving many paralyzed about what to do. But a Canadian security expert warned retailers here not to take short-cuts to stem the flow.
“The solution is to treat cybersecurity as a whole business issue, and not just look at operations and technology,” Kevvie Fowler of KPMG Canada told the Retail Council of Canada’s theft prevention conference in Toronto on Thursday.
“A lot of people think security is put up another firewall, put on an anti-virus client. Technology is a piece, but a small piece of what the overall cybersecurity picture looks like.”
It includes following legal and compliance policies and imposing leadership and governance structures to support security, he said. In some small organizations, the IT manager only has a small amount of time for IT security, he complained, But, he added,” security is a full time job … What you do need is to hit the executive levels of the organization.”
Executives also need to ensure all staff are trained to watch for and not click on suspicious emails, he added — one of the two infamous Target store breaches happened because a staffer at a consulting company working for the chain did that, he said, which installed malware that let to the intrusion.
Service desks are prime targets, he said, by attackers posing as legitimate customers who want to reset passwords or change shipping addresses.
As for operations and technology, “that comes to making sure you have the right security controls in place that are actually effective. This isn’t just buying a tool and saying ‘We’re good,’ and moving on. It’s making sure it’s doing what it should be doing, making there’s processes around it making sure you’re looking at the information coming from the (security) device and act on it.
“More often that not organizations that have been breached have had the controls in place that generated the right alerts, they just didn’t identify the alerts and act on them” said Fowler, who lead a team that does penetration testing and one that does post-breach investigations.
(Meanwhile the Associated Press and Blomberg News reported that the malware used to breach the Home Depot POS system was significantly different from the one used to get at Target’s system.)
A complete IT security strategy also includes having an information risk management and business continuity plan in case of a data breach, he said.
Unlike the United States, most credit card issuers here have recently given users smart cards with chips that be reproduced. That means that if a hacker gets a credit card number a phoney card can’t be produced.
But, Fowler noted, retailers have databases full of other valuable information that isn’t chip and PIN protected: Usernames, passwords, social insurance numbers and the like. Many retailers don’t think this information is valuable, he said, but to criminals it is — because they can use analytics to marry personal information to credit card numbers.
Knowing a person’s social media account or address gives a criminal another place to send malware-infected email, he pointed out. In fact the more personal data a criminal has on an individual the more valuable it is on the black market.
All of this won’t prevent a network breach, he acknowledged. But it will lower the odds, lower the potential damage and increase the chances of spotting an attack.
Lest you think that Canadian firms aren’t targeted, Fowler also revealed that after helping close SQL injections vulnerabilities in an Toronto firm’s external Web site his team used data forensics to discover 16 hackers from all over the world had exploited the vulnerability over the previous two years. Of those five attackers gained unauthorized access to the network, although no sensitive data was lost so the breach wasn’t made public.
An unnamed Canadian telco this year discovered it had suffered a security breach, he added, because they found the Internet on the Internet by external monitoring.
In an interview Fowler also said that retailers shouldn’t think they are safe because they follow the Payment Card Industry (PCI) best practices. One security researcher found that a Canadian company’s point of sale system was still vulnerable to an attack even though it had a stellar security profile.
“Compliance is not security,” he said. “PCI compliance gives you a bare minimum standard you have to process data. If you look at Target, they were PCI-certified. Organizations need to focus on having maturity, not just check off the list when it comes to compliance, make sure the controls are effective.”
Overall, Canadian organizations take IT seriously, he said, partly because of the high profile breaches in the U.S. Still, he said some firms here lack the awareness of American companies. Having involvement at the CEO and board level is important because cybersecurity is no longer a manager issue, he said.
(Where is your organization? In the 70 per cent willing to roll the dice? Let us know in the comments section below)