In retail cyber-security, bigger isn't always better
By Keith Swiat, director of security and privacy consulting, McGladrey LLP
For all intents and purposes, 2014 was the “year of the breach.” Some of the most recognized companies fell victim to cyber-attacks, resulting in an unprecedented amount of sensitive customer data being released, followed by fraud. Now that the holidays are over, most of us are not-so-eagerly awaiting our credit card statements — not only because they will detail the “damage” done by our holiday shopping but because after last year’s highly publicized incidents, we know that we need to scrutinize those statements more closely than ever.
While many breaches that don’t make the headlines, those that did in 2014 had one thing in common: all of the companies involved were large, national or international chains. Most of us have likely used our credit cards at these retailers, which have hundreds of thousands of employees, thousands of retail outlets and dozens of data centers. This means they also have complex information security programs with many “moving parts.” This can actually be an Achilles heel of retailers — one that might give mid-sized retailers a “leg up,” as their smaller size and inherent nimbleness often reduces the possibility of breaches and, as a result, unhappy customers.
But, before we dive into the fun stuff, what do we mean by sensitive data? It is any data that can be used for financial or political gain. In the context of retail merchants, sensitive data is usually payment card information. However, in light of recent breaches, we see a trend toward hackers putting a higher value on other types of data, including personally identifiable information (PII) such as Social Security numbers.
This brings us to the first reason smaller, mid-sized retailers have a leg up. The type of sensitive data an organization handles dictates the governance and compliance programs to which it must adhere. Because they perform payment card transactions, all retailers must be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). One thing to remember about PCI-DSS is that the larger the merchant, generally the more resources it takes to support its compliance efforts. In addition, the time it takes for a large merchant to complete its annual PCI compliance is longer than the time needed by a smaller retailer. This is important because, like many compliance programs, PCI-DSS is a snapshot in time. Since more time is needed to complete assessments for large merchants, the likelihood of the assessed environment changing during the assessment — leading to inconsistencies in findings and remediation requirements – increases.
Another aspect of compliance that is significantly impacted by an organization’s size is sampling. Large merchants need to sample their environments since looking at every system in scope is too labor intensive. Small- to medium-size merchants have a better chance at performing complete reviews, thereby maintaining tighter control of their overall compliance.
The second aspect is technology. Because of the complexity of their infrastructures, large merchants more often than not, aren’t able to move rapidly when it comes to adopting and implementing new technologies that could reduce the number of systems handling sensitive data. For example, point-to-point encryption technologies encrypt payment card information as it is swiped through a reader. This information remains encrypted until it reaches the merchant’s acquiring bank. In these implementations, the merchant does not have the ability to decrypt the data, which greatly reduces their “attack surface.”
In addition to issues implementing new technologies, updating existing software/hardware to the latest, most secure versions can be difficult. Large retail merchants usually have extensive install bases for point-of-sale software/hardware. Upgrading to the latest and most secure version is typically easier said than done. For organizations with hundreds of locations, rolling out new versions of software can be a multi-year endeavor. Smaller merchants with fewer locations can more rapidly deploy newer, more secure versions of software.
In addition to software and hardware, a major factor in the security of an organization is its physical footprint, making location the third factor in data security. Large organizations usually have distributed information security management teams, often separated by multiple time zones and continents. In the event of a potential breach, making quick decisions about which services or hosts to shut down and which network ports to disable is critical to reducing the probably of unauthorized access to sensitive data. When malicious activity is spotted in a non-critical portion of the infrastructure, local resources normally have the authority to take affected systems offline to investigate. However, when the malicious activity is on a mission-critical system such as the back-end database for the company’s e-commerce site, corporate management approval is often required. If this authorization comes hours later, perhaps from a manager in a different region or time zone, precious time is wasted. The size and physical proximity of small- and medium-sized retailer information technology (IT) teams often foster better communication to allow for the flexibility and empowerment necessary to elevate risks.
This brings us to the final factor: culture. IT organization charts for larger retailers typically contain more resources than those of smaller retailers. Unless large retailers’ IT teams have robust cross-training and communication between groups, it might be difficult for all of the groups to work toward the same security goals. How well the individuals in an IT team know one another, and where they are based have a lot to do with the culture and how potential cybercrime is handled. For example, at larger companies, teams might be spread across time zones and continents, and team members might not have even met the chief information officer. At small- and mid-sized retailers, IT teams are smaller, fostering better communication to allow for the flexibility and empowerment necessary to elevate risks. Smaller companies also have the ability to make quicker and more effective cultural changes and to break through bureaucracy to allow security professionals to access the C-suite when necessary. All of this ideally leads to fast decision-making and, ultimately, increased security for customers’ sensitive information.
(Photo by Alec Tabak.)