Weathering Today’s Retail Cybersecurity Storm
Cyber attacks on businesses have grown exponentially in scale and complexity over a relatively short span of time. The retail and consumer products industry continues to be a prime target for such attacks. In fact, it ranks as the top industry breached by the number of identities exposed, according to Symantec, one of the world’s largest information security and management companies. Yet, despite being a heavily targeted sector, and with the average cost of a security breach expected to exceed $150 million by 20201, retailers have the least mature IT security programs and the lowest security spend compared to other industries.2
The Perfect Storm: Valuable Data, Lax Security Controls, and New Attack Methods
Due to the recent surge in attacks, many retailers are rightly focusing their attention on cybersecurity. However, even with investments in prevention, retail companies will likely find themselves vulnerable as attackers become increasingly sophisticated in their methods. According to a study conducted by BitSight, which tracked a group of 300 retail companies, 58% of retailers polled say that they are experiencing a decline in security performance over the previous year.3 To make matters worse, new attack vectors—the paths by which hackers gain access to a computer or network server—are constantly changing. This makes prevention and detection more difficult.
In its 2015 Data Breach Investigations Report, Verizon reported that the two primary attack vectors affecting retailers in 2014 were point-of-sale intrusions, where an attacker steals data directly from the point-of-sale system, and denial of service, where an attacker attempts to disable a company’s system and hamper its ability to function. That year, point-of-sale intrusions and denial of service combined for 64% of retail attacks. In a dramatic shift, by 2015, point-of-sale intrusions alone have accounted for 70% of attacks affecting retailers, whereas denial of service attacks were virtually non-existent.4
This significant change in just one year is no surprise as point-of-sale systems handle the credit card data that hackers desire.
As retail companies drive to capture market share, meet the demands of Generation 2020, and create seamless customer shopping experiences across all channels, they continue to leverage technology to enhance omnichannel capabilities. This results in new vulnerabilities and opportunities for hackers. The proliferation of network entry points leaves retailers more exposed than ever and under greater pressure to bolster cybersecurity efforts and protect their networks.
According to Richard Schurig, a CohnReznick partner and the Firm’s Retail and Consumer Products Industry Practice leader, “Many retail and consumer products companies have limitations on the amount of investment to be made in the technology area. They have lagged behind in these investments because of the tough business environment they faced several years ago—and they are still trying to catch up. The decision as to how to allocate these resources between Web-based, mobile, and cybersecurity is creating a number of challenges for the C-level executives. In light of the recent high profile attacks, cybersecurity has taken on a higher priority in order to protect their customers and key assets.” But more needs to be done. “What is not always considered is the operational, financial, and reputational risk associated with different levels of cyber intrusion,” adds Schurig.
No Need to Boil the Ocean―Get the Program Basics Right
In an environment where cyber threats are rapidly escalating in frequency and sophistication, how can retail and consumer product companies overcome current deficiencies and build a stronger cybersecurity program to protect corporate and customer data?
Understanding the nature of a retail organization’s cyber risk is a critical first step. What would be the potential impact of an attack and how vulnerable is the company to breaches perpetrated from both outside and inside the organization? Identifying, prioritizing, and protecting key assets are the first lines of defense against cybersecurity threats. In doing so, it is critical to recognize that cyber theft is not solely about credit card data. It is also not always perpetrated from outside of the organization: employees may be motivated to steal data and thus seek avenues to access sensitive information.
While compromised credit card data does represent a substantial share of cyber attacks, cyber theft is progressively moving toward theft of non-payment data. Additional assets that are considered high value to hackers include confidential or proprietary corporate data, emails, and personal data.
Between 2013 and 2014, there was a 33% increase in theft of nonpayment card data, and at least 45% of stolen data was not related to credit card data.5 These findings were published in The 2014 Trustwave Global Security Report released by Trustwave, a company that provides information security and compliance programs. In some cases, cyber criminals attack exclusively for the purpose of extortion with no interest in stealing data. Therefore, it is essential to think like a hacker and understand who wants to steal the data and why. Companies need to define the data that is most valuable to them and/or the data that puts them at the greatest risk. They must then determine where that information is stored, and ensure that the basics of a cybersecurity program are firmly in place. This includes the following beneficial security practices:
Patch management program
Appropriate administrative access across the network and applications
Firewalls to protect the network perimeter with appropriate network segmentation
Robust malware and antivirus software running on all systems at all times
Additional IT controls such as back-up and recovery, which is often the only way to recover data following an attack
Above all, a governance program to ensure the above controls are functioning effectively
“Cybersecurity requires governance,” says Jim Ambrosini, Managing Director of Infrastructure Management and Technology Risk, CohnReznick Advisory. “Monitoring and directing the aspects of a cybersecurity program are two critically important actions. The program needs to be observed and then reassessed based on new threats and new compliance requirements.” Ambrosini adds, “Just having something in place―and a ‘set it and forget it’ approach―is not an effective strategy. An effective cybersecurity program requires governance and maintenance to make sure the organization is in a position to protect its environment and its assets and respond quickly to new and emerging threats.”
Equally important is the implementation of a vigilant security awareness training program. “People are frequently the last link between a company being hacked or not,” says Ambrosini.
Closing the Storm Door: An Enterprise-Wide Matter
There is general consensus that it is not a matter of if a company will be hacked, but when. Such high probability means that developing a response plan is crucial. Companies must also recognize, embrace, and internalize the fact that cybersecurity has become an enterprise wide issue.
However, studies show that among C-level executives, there is a lack of organizational literacy with respect to cybersecurity and its associated risks. According to Tripwire’s “The Cyber Security Literacy Confidence Gap,” the levels of understanding and confidence in cybersecurity literacy among boards and executives vary widely. C-level executives generally lack confidence that cybersecurity briefings presented to the board accurately represent the urgency and intensity of cyber threats targeting their organizations.6
Chief Financial Officers play a major role in the daily operation of a retail organization. The information they control is some of the most sensitive and important. It is critical for the CFO to have a level of confidence in the quality of this information, understand how it is secured, and why and how attackers may be able to access and leverage it. “Boards of directors should consider cybersecurity a high-priority issue directly tied to a retail company’s reputational, financial, strategic, and operational risk profile,” says David Rubin, Risk and Business Advisory National Director, CohnReznick Advisory. “Boards should be keenly aware of the potential for lawsuits resulting from a security breach and the potential costs associated with the remediation of various types of breaches based on the severity of the impact.”
Ambrosini adds, “It’s critically important that board members and C-level executives are engaged and getting the correct information about cyber risks at their organizations. The idea that cybersecurity is not a board-level or C-level issue is a myth that needs to be busted.” The post-breach implications permeate all levels of an organization. Boards and CFOs should be asking such questions as:
Which digital assets do we maintain?
What are our main cyber-related risks?
What have we done to assess our cyber risks and vulnerabilities?
Which mechanisms are in place to protect, detect, respond to, and recover from cyber incidents?
Are these methods in line with our risk tolerance?
What Does CohnReznick Think?
Cyber threats to retail and consumer product companies will not go away. As the complexity and pervasiveness of technology driving the retail industry increases, cybersecurity programs will play a greater role. With immature information security infrastructures and sub-par cyber investments, retailers can wind up being an easy target for hackers. Boards of directors and C-level executives must play an integral role, identifying and communicating key assets (financial or otherwise), and developing organizational awareness of initiatives that stress the company’s security infrastructure. Retail and consumer products companies need to focus on getting the basics of cybersecurity right. Otherwise, they risk potential customer loyalty erosion, decreased shareholder value, or worse.
1Juniper Research “The Future of Cybercrime & Security: Financial and Corporate Threats and Mitigation.”
2 2014 Gartner IT Security Study.
3 2014 BitSight Retail Study (300 company security survey).
4 Verizon “2015 Data Breach Investigations Report.”
5 2014 Trustwave Global Security Report.
6 Tripwire, Inc. “The Cybersecurity Literacy Confi dence Gap.”
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.