A study conducted by KPMG last fall found that a growing number of consumers are leery of breaches and the loss of data privacy. As Forbes stated:
More than a quarter (27%) of the 1,400 U.S. consumers surveyed in November by KPMG said they would only shop at a store that previously experienced a cyber attack if they could not find the product elsewhere — with 8% refusing to shop at these stores at all.
Consumers have a reason to be concerned. Last holiday shopping season, IBM revealed that attacks against retailers are growing more sophisticated and targeted, which means that while there may be fewer attacks overall, they are gathering just as much or more data.
As we approach the 2015 holiday shopping season, it is up to retailers to do everything they can to protect their customers’ data privacy. It’s not an easy task, as Joe Schorr, director of advanced security solutions with Bomgar, stated in an email comment:
“Retail organizations are one of the most attractive targets for data theft due to the massive amounts of credit card information they process. Tools that allow IT departments or even outside vendors to remotely access and fix manned and unmanned systems are imperative in retail, but they’re also one of the retail industry’s biggest security weaknesses. Hackers are constantly looking to exploit unsecure remote access methods that turn them from outside attackers to privileged insiders and gain access to sensitive data and systems.”
In this slideshow, Sue Marquette Poremba has outlined a few issues experts recommend online retailers consider before we hit the busy shopping season to better ensure their security is running smoothly.
Steps Retailers Can Take to Shore Up Security Before the Holidays
Click through for nine issues experts recommend online retailers consider before hitting the busy shopping season to better ensure their security is running smoothly.
PCI compliance is a major concern year-round and particularly during the holidays, but as IT security professionals know, audits aren’t happening at this time of the year, meaning we should do our due diligence to prep and remain compliant leading up to the shopping season, said Mav Turner, director of Product Marketing and Strategy, Security with SolarWinds. Before the holiday season, online retailers need to ensure that their PCI compliance is up to date because, Turner pointed out, it is already very difficult to identify abnormalities in the system when shopping patterns are anything but normal during the holidays.
Passwords are often easy pickings for cyber criminals. To protect passwords, they should be stored using a cryptographically secure hashing technology, said Stephen Cox, chief security architect at SecureAuth. And because consumers are notoriously bad at coming up with unique or strong passwords, retailers should consider revamping password settings to ensure certain metrics, or perhaps even add a second layer of authentication.
Adopt SSL Encryption on Websites
Adopting SSL encryption on the website accomplishes two things for online retailers, according to Mike Walls, managing director of EdgeWave. First, it protects valuable customer information like credit card numbers. Secondly, it demonstrates to the customer that the retailer takes information security seriously. Retailers must ensure that their websites are structurally secure, Walls added. That means the information security team needs to ensure that the website development team is diligent about updating and patching their web development platform.
Conduct Penetration Tests
One of the most important things the information security team can do before the holiday shopping season is conduct website vulnerability assessments and periodic penetration tests to ensure that the website stays secure against the constantly evolving threat, Mike Walls with EdgeWave stated. In addition, retailers should adopt robust monitoring procedures to quickly and effectively detect and eliminate hacking attempts. While such tests should be done on a regular basis, it is especially important to make sure no hidden vulnerabilities exist at a time when customer traffic increases and online behaviors are unusual and unpredictable.
Physical security isn’t something usually considered in e-commerce, but John Kuhn, senior threat researcher with IBM Security Services, said that ensuring physical security of the point-of-sale (POS) system is an often overlooked but vital part of protecting the consumer. Criminals just need physical access to exposed USB ports on the POS device to steal much more than what’s in the drawer, he said, and have self-executing malware installed completely unnoticed, providing them with direct access to credit card data to syphon it to a location on the Internet, or even texted directly to their phones.
Secure Privileged Credentials
While retailers already invest a lot of money in putting up firewalls and data encryption tools to protect sensitive customer information, a hacker can bypass even the strongest defenses with the right credentials, according to Nathan Wenzler, executive director of security for Thycotic. This holiday season, retailers must have software and processes in place to actively manage who has access to the most privileged credentials (such as domain administrators, root accounts, etc.) in their environment, and change credentials regularly in an effort to neutralize an attacker’s ability to compromise these accounts.
Proper Handling of Personal Data
Employee error is one of the biggest threats to data privacy for many industries, and that holds true for e-commerce, as well. That’s why online retailers have to stress the importance of proper handling of personal data to all of those who actually handle the data, according to Sam Pfeifle, publications director at the International Association of Privacy Professionals. It’s not just the security staff’s responsibility, but everyone who works with a database or handles customer information in any way. They need to be able to recognize sensitive information – SSNs, credit card numbers, even email addresses – and know that it has to be handled properly. Employees need to be current on the company’s security practices and policies, too.
Fraud and potential identity theft are a serious concern for consumers, but there is little the customer can do to protect his information once it is entered into the retailer’s system. That’s why retailers have to have a system in place that can verify customers’ true identities before letting them create accounts or make purchases, said Jason Tan with Sift Science. Machine learning technologies are able to pick out small clues to fraud that may not be obvious to human analysts and tease out patterns that pinpoint suspicious users.
Continued expansion of product lines for online retailers frequently means growth in third-party relationships (e.g., additional suppliers, merchants, marketing firms, etc.), according to Tony Buffomante, KPMG cyber consumer markets leader. These relationships may mean sharing technical platforms, data, customer information or other intellectual property. Online retailers should be concerned about information security controls of third-party vendors that store or process customer information on behalf of the online retailer.