The retail sector is one of the most fertile when it comes to cyber criminals committing crimes. Experienced hackers know that retail has never taken IT security seriously. This is in direct contrast to connecting parts of the retail industry such as banking, and payment processing that directly handle customer payment card data. IT security is seen by most retailers as a reactionary spend in times of crisis. IT in the retail industry is being continuously perceived as an area to reduce costs in.
Maximizing profits is the normal business mentality that most retail organisations follow. They want to maximise their return on their investments by driving down prices, controlling costs, and and turning over their inventory as fast as possible. Investing in information security to protect the private financial data of customers seems to be a distant thought.
There has been targeted data breaches at some of the largest retail giants in the world including Home Depot, Staples, and Target. None of the executives at these organisation has considered the essential role that cyber security prevention plays, until the actual breaches happened. Its other retailers that they view as the main threat to profitability, not the misuse of customer financial data.
A large factor in the complacency of retailers has been that no amount of negative publicity int ho these data breaches has stopped people from shopping at retailers. This is compounded by stock market valuations of these organizations taking very small momentary movements. Today’s data breach, soon becomes yesterday’s news, and life goes on without any real lessons learnt or critical processes adjusted.
Most consumers would be horrified to learn about the real state of IT security at many of the largest retails in the world. Especially those companies that handle millions of transactions on customers credit and debit cards daily. There is a startling amount of private data that is harvested from consumers for targeted marketing, and much of this is stored in data centres with very little emphasis on security. There has been such oversights of the sensitivity of customer details that there has been incidents reported such as a pregnant girl having her pregnancy revealed to family members before she had actually told them herself.
Rather than fix directly the problem of their security holes in their IT systems, companies have almost prefered to just do nothing and pay the fines that they get for non compliance of regulatory standards such as Payment Card Industry (PCI) and Decision Support Services (DSS). IT security professionals in the reti industry are encouraged to treat the problem as a top priority or face the unemployment line. This was reiterated with the rent Target data security breach, as the Chief Information Officer of Target was asked to resign after it happened.
Cyber criminals are learning and adapting to new security interventions everyday. There is an overdependence on security tools like firewalls and antivirus software that once a network has actually been breached by hackers they have unrestricted movements inside the companies network. Sophisticated criminal hangs are launching cyber attacks in an effort to get hold of the key customer data for fraudulent purposes.
This can be in the form of credit ad debit card data, or the private consumer behavior data that the company has collected and analysed. This type of data can fetch high prices on the black market. Hackers and criminals even use the internet to build websites that look like established companies sites, and send out emails to the stolen data offering great deals to aid the hackers in the theft of essential credit card information.
There are a number of practical steps that retailers can take to protect themselves against cyber crime. As online shopping becomes a greater part of our lives, there needs to be serious talk between the IT department, and corporate management, in an aid to align themselves with similar goals. To often the warnings about security risks are ignored by higher levels of management, due to the perceived costs of the implementation of the security measures. IT departments routinely fail to communicate just how devastating the impact on business can be from certain security breaches.
There needs to be a broadening of the scope of regulatory compliance standards. This applies to predominantly the US, and Europe that have had the highest profile cases of data breaches. This compliance should cover not just bank, and credit card related transaction details, but personal details too. Satisfying the auditors shouldn’t be considered an adequate approach to the regulations such as PCI and DSS. Ensuring that data stored in data centres is encrypted is a simple step that is within the powers of most organizations, and can render the breach of any networks as a wasted effort by hackers.