8 lessons learned from retail breaches
From hamburgers (Dairy Queen) to heels (Neiman Marcus) to hammers (Home Depot), retailers of nearly every stripe have been bitten by the data breach bug.
Although most healthcare organizations don’t have a drive-through or Black Friday sales, they are responsible for managing sensitive data and can gain valuable insights from these retail breaches to better protect their patients and employees:
1. Where there is data there is risk. Cybercrime is evolving as fast as cybersecurity, and breaches will happen despite best efforts, so the only true security comes in the ability to effectively manage risk.
2. External threats are increasing in importance. According to Ernst & Young’s 2014 Global Information Security Survey, respondents list criminal syndicates (53 percent), state-sponsored attackers (27 percent), hacktivists (46 percent), and “lone wolf hackers” (41 percent) as the most likely sources of attack, compared to previous surveys in which respondents cited employees as the most likely source.
3. Cybercriminals are cutting out the middleman. Five years ago, a sluggish economy made it easy for criminals to recruit employees to steal information, from skimming credit cards in fast food restaurants to copying medical records. But today, with increasing digitization and outward-facing applications such as point-of-sale systems, criminals can often cut out the middleman.
4. New, large-scale attacks are replacing older methods. Skimming, spam, and phishing may become tactics of the past, slow, and unprofitable compared to malware that can steal millions of users’ information at a time. Network security company Damballa estimates that the number of computers in North America infected with the Backoff malware that caused the Target breach increased by 57 percent between August and September, and most recently, MCX, the coalition of retailers backing mobile payment system CurrentC was hacked. (The losses included mainly email addresses and dummy accounts, but cybercriminals already have this new payment system in their sights.)
5. Criminals are finding multiple uses for stolen data. As Steve Durbin of Information Security Forum pointed out in PC World, buyers can use the credit card numbers and associated personal information not only to clone credit cards, but also for credit fraud and identity theft.
6. To some degree, data breaches affect consumer confidence. A new study by Deloitte found that while 42 percent of consumers are worried about their personal data when making in-store purchases, 56 percent still plan to do their holiday shopping at retailers that have experienced a breach. Still, these breaches have affected businesses. Target’s breach last year resulted in falling sales. The Deloitte study also found that breaches are more likely to weigh on older shoppers, a sobering thought in light of the fact that by 2017, baby boomers will control 70 percent of the disposable income in the United States.
7. Turn the negative into a positive. International Business Times observes that the retailers hit the hardest are the ones leading the movement toward better security. Target and other retailers are pushing for the use of “smart cards,” credit cards that use embedded microchips to encode transaction data, making it useless to hackers. The company has also changed more than 400,000 passwords and installed new POS systems. Other retailers have concluded that the less said about security measures, the better. A Neiman Marcus spokesperson told IBT: “One of the things we learned during the breach was not to talk publicly about improvements we have made to security.”
8. Realize the inevitability of data breaches — and act accordingly. Upfront defenses are just the ante in the security game. Every organization that takes payment or other personal information from its customers (or patients) must manage the risks of the breaches that are almost inevitable in our increasingly digitized world.
Every organization (healthcare or otherwise) needs to:
• Know where its data lives and travels, and in what form (encrypted, identified or deidentified, etc.).
• Monitor systems 24x7 for possible compromise.
• Instill a culture of security where every employee is a guardian of the customer’s data.
• Be ready not only with a response plan, but also trained staff and tools that help to quickly assess risks, determine response, and generate the documentation required for compliance. (HIPAA, anyone?)
As the Japanese writer Haruki Marukami said: “Pain is inevitable. Suffering is optional.”
Today’s security professionals know that risk is inevitable. The only option is to manage that risk so well that damage and suffering to the organizations — both in retail and in healthcare — are not.