This week on our blog, we have a guest post from Jon Heimerl, manager of the threat intelligence communications team at NTT Security, who reflects on our latest quarterly SERT Report.
The retail industry remains an attractive target for cyber criminals. It is placed in the top three most targeted industries in each of the last eight quarters and, according to our SERT Report, the volume of attacks against retail clients rose by 11% from 2015 to 2016.
So why is retail a high priority target for hackers?
Ultimately, retailers are challenged with operating in an environment that is more complex, faces evolving compliance requirements, is under greater scrutiny, and is being attacked more often than ever before. They also typically manage large volumes of transactional financial data, gathering credit card information as well as a variety of personal information through loyalty plans.
This financial and private information is highly valuable to criminals and the security implications to the retail bottom line are very real. In fact, the costs of a breach are higher than they have ever been. The Ponemon Institute’s latest breach study indicates that, during 2016, data breaches cost retail companies an average of about $172 per record (above the $158 average in other industries), for a total of about $4 million per breach.
In order to mitigate a breach, and subsequently reduce the cost implications of one, retailers need to manage the type of data that attackers find valuable. Here are some security controls which can have immediate and measurable impacts for retailers:
- Verify proper identification, classification, labeling and handling of sensitive and critical data. This includes identifying the most sensitive and critical data.
- Conduct effective risk assessments to manage risk, especially in working with third parties including vendors, suppliers and contractors.
- Enforce a comprehensive vulnerability management programme.
- Maximise the effectiveness of available technology. Whatever security and information technology retailers are using, ensure the implementation of that technology has been truly architected into the environment and implemented in a planned migration.
- Design and build an incident response plan. The single most effective step to reduce the time an organisation is under attack is to define, and properly staff, an effective incident response plan. Defining how an organisation will react ahead of time can be key to how well it survives a data breach.
The report also included updated numbers for how much criminals were getting for stolen credit card numbers. Stolen credit cards, including security cards, were fetching around $7 per card in the U.S. in December. Full identity dossiers were going for $30 each. Loyalty plan details are particularly interesting to criminals, the report said, because they often contain other personal information about the customer.