The retail industry saw more than its fair share of data breaches in 2017, with security incidents impacting at American supermarket chain Whole Foods Market and clothing companies Brooks Brothers, The Buckle, and Forever 21, to name a few. At least some of those events likely resulted from retailers' poor data breach preparation. Consider the fact that just 28 percent of IT security professionals told Tripwire in November 2017 that their organization had a fully tested plan in the event of a breach. It's also worth mentioning that close to half (44 percent) of companies included in Verizon's 2017 Payment Security Report failed to protect payment card data on an ongoing basis and that 100 percent of all breached Payment Card Industry (PCI) certified companies had previously failed a PCI compliance audit.
So, what can retailers do to make sure they don't fall victim to a data breach in 2018?
Added protections like chip and pin, and end-to-end encryption are good improvements for consumers. Even so, organizations would be wise to step up their defenses in 2018. That's because malicious actors are constantly developing new methods of attack with which to target retailers. To illustrate, Forrester Research anticipates cyber-criminals will begin developing point-of-sale (POS) ransomware in 2018, making retailers their next lucrative target for extortion-based ransom demands. Cybercrime shows no signs of slowing down. As a result, retailers would have a lot to gain by going beyond compliance and taking a holistic approach to securing and maintaining the integrity of their systems. Such measures would help protect them against security incidents and their consequences like negative headlines, angry customers and hefty fines. Take the European Union's General Data Protection Regulation (GDPR), for example. Failure to comply with GDPR could be fined up to four percent of the annual turnover of the business. The consequences could even be more serious than legal fees and unflattering press. Following Uber's most recent data breach disclosure, top Democrats in the United States Senate introduced the Data Security and Breach Notification Act. The legislation would require companies to report data breaches within 30 days. If an individual knowingly conceals a data breach, they could face up to five years in prison under the legislation. PCI requirements like multi-factor authentication can help companies take steps in the right direction. However, strategic, foundational steps need to be taken to preserve system integrity. Organizations should think of this as a business journey and not a check-box exercise. Before looking at specific tools or technologies, they should, therefore, take a look at what foundational steps they need to take to preserve system integrity:
Know Your Attack Surface
Organizations should make sure they have visibility into the devices and software they have on their networks. Are there unauthorized devices on the network? Is there unauthorized or unmanaged software throughout the network that brings risk into the environment? From there, organizations can define their attack surface, or the sum total of points of interaction which could present access to a vulnerability or misconfiguration. An attack surface also covers fully authenticated and authorized connections. Indeed, every interaction to a corporate network presents a certain amount of risk, so it's important an organization documents each and every connection to understand the corresponding level of risk posed to the business.
Minimize Your Attack Surface
Once organizations know what they have on their networks, they need to make sure that all those devices, applications, and operating systems are configured properly and securely. They should be configured to a defined ideal and secure state following industry best practices and standards, as well as internal policies. This is often called "hardening" systems to reduce the attack space. Due to the number of interactions on most corporate IT environments, it's unlikely that organizations can reduce their attack surface as an enterprise project. Even so, they can target certain points that amplify benefit. They should also review their vulnerability management program and other tools to determine if those solutions can be configured to provide insight into the attack surface.
Monitor Your Attack Surface
Once systems are configured and patched appropriately, they should be monitored for any changes and new risks. This includes checking for and fixing vulnerabilities, making sure secure configurations are maintained, managing administrative privileges, and paying attention to log data. Keeping track of administrative privileges and log activity will also help identify and investigate suspicious activity. Organizations should then take this information and track it over time. Whatever trends result from that process can eventually help them make business decisions that reduce risk.
Going Beyond the Check-Box…
Major data breaches happen because of a simple misconfiguration issue or failure to patch a known vulnerability. With that said, strong system integrity and adequate security posture must be built strategically and holistically, not through a check-box exercise. Only then can organizations effectively comply with PCI and GDPR and most importantly manage their risk against serious data breaches and cyber incidents. Interested in learning about the latest processes and technologies used to protect payment and personal data? Consider attending the 16th PCI London event. You can learn more about the event here. For information on how Tripwire's solutions can help your organization achieve and maintain PCI compliance, click here.