Recently, I asked a roomful of CISOs from a variety of industries — including retail — how many of them had an incident response plan or even an incident response retainer in place. Even in that room, where every single person was in charge of safeguarding his or her organization’s data, only 20 percent raised a hand.
A number of the security professionals justified their lack of planning by noting that their insurance covers financial losses from a cyberattack. That’s a bit like refusing to wear a seatbelt and saying, “It’s fine, I have health insurance.” Why would you want to expose yourself — or your organization — to unnecessary risk?
Retail companies face more than financial losses when hackers infiltrate their networks and gain access to customer data. Hacked retailers will inevitably find themselves combating negative headlines and may lose the trust of their customers. No insurance covers that.
Keep Your Data Safe
Retailers should consider these four measures to prevent making news for the wrong reasons:
1. Blocking and Tackling
I cannot stress this point enough: Organizations must invest in security tools such as next-generation firewalls with features that include intrusion prevention, application visibility and control, and malware protection. Other products, such as next-generation endpoints, should be added to kiosks and point-of-sale (POS) systems to mitigate risk at the endpoint. Further, organizations must patch systems in a timely manner. Too often, I hear of organizations waiting a month or more to apply patches to known vulnerabilities. This is simply unacceptable.
2. Threat Check
During a CDW Threat Check engagement, our engineers deploy an appliance that passively monitors an organization’s environment. The device plugs into a network port to collect data on any existing vulnerabilities. While a Threat Check itself doesn’t mitigate these vulnerabilities, it provides an organization with vital information about intrusions, viruses, worms, Trojans, botnets, malware and spyware that may be hiding within a network, and helps to create an actionable plan. The monitoring device typically searches for malicious traffic for around five to ten business days.
3. Penetration Testing
A custom penetration testing engagement provides retailers with a vivid illustration of the ways in which their networks are vulnerable to attack. During penetration testing, CDW’s solution architects perform a full-scale (but harmless) assault on a company’s systems, trying to gain access to the network in any way possible. This may involve replicating an organization’s wireless environment to see how many users connect to rogue access points, as well as attempts at social engineering; for example, dropping USB drives in an employee parking lot to test whether users will plug the unknown devices into company computers.
Some organizations even ask us to simply walk through the front door and attempt to follow IT staff into sensitive areas. The only way to accurately determine how effective existing security measures are is to subject them to such real-world penetration attempts.
4. Incident Response Planning
Retailers must be able to detect a breach as early as possible and to respond to attacks in a way that limits damage. Many organizations lack proper analytics tools that could help them identify breaches, instead relying on credit card companies to inform them of anomalous activity. A good response plan is just as important as the right tools.
In the case of a breach, IT managers should know exactly who to call, how to fix the problem and even how to communicate with shareholders and customers about the attack. For many organizations, it makes sense to keep a third-party security partner on retainer. This option provides retailers with the peace of mind that comes with knowing that an incident response will be thorough, aggressive and nearly instantaneous.
This blog post brought to you by:
Forcepoint™ safeguards users, data and networks against accidental or malicious insider threats to outside attacks, across the threat lifecycle.