Although the retail sector has by no means seen the greatestfrequency of cyber attacks in recent years, several that haveoccurred have accounted for a huge percentage of the recordsactually stolen.

Compounded with the sensitivity of the information typicallytaken in such a breach (credit card details, passwords and personalinformation) and its appeal on the black market, major breachessuch as those at Target, Home Depot and eBay in recent years havelanded concern about commercial data security — and questions aboutwho should be held liable for failures — front and center in theminds of retailers and consumers alike. 

What can be done about the security of customer information? Howare criminals slipping through seemingly secure systems? What canbe done to thwart them? And who is responsible for the resultingfinancial losses when these efforts fail?

According to cybersecurity experts, the outlook is, frankly, alittle bleak, but not hopeless — so long as organizations takeserious strides to not only implement but vigilantly maintainstringent, systematic plans to keep data secure. This meansensuring that their systems as well as those of their partners,vendors and subsidiaries are secure from data leaks. IT securityteams must be provided with adequate resources, both human andfinancial, and security education and awareness must become a partof company culture. The C-suite has to make data security a toppriority. Given the increasing frequency and effectiveness of suchbreaches and how much such breaches can cost, it should be gettingeasier to convince the top brass that a boost in attention andresources flowing to cybersecurity efforts is well worth it.

As the holiday shopping season gets underway, let's take a lookat three of the major retail data breaches in the past few years tosee what we've learned:

Related: Hacked! The cost of a cyber breach, in 5 differentindustries

(Photo: Thinkstock)

1. Target and Home Depot lesson learned: Vet yourthird-party vendors

According to cyber crime reporter BrianKrebs investigations found that the Home Depotregisters involved in the attack were infected with a variation ofthe same malware found on compromised Target registers. Thissoftware is designed to grab data from cards swiped at an infectedpoint-of-sale system. In both cases, criminals accessed theretailers' networks through that of a third-party vendor. Once in,the criminals were able to exploit a vulnerability in Windows, theoperating system running the registers, to upload the maliciousprogram.

Going after corporate data through vendors or less-protectedsubsidiaries is becoming a more common practice of cyber criminals.Smaller vendors and recently acquired smaller companies sometimesstruggle to keep on top of data security. Organizations whosesystems contain the personal and financial data of millions ofcustomers have a responsibility to vet the vendors they work with(and the companies they acquire) meticulously to ensurethat digital security protocols are up to standard and areenforced. Vendors and employees should only be able toaccess what is necessary for them to carry out their work, and thesecurity measures on their own systems should be robust andreliable. 

What makes for a robust and reliable protocol? Here are somethings to consider:

• Procedures for granting and removing access to employees shouldguard against unauthorized access to the company network.
• Monitoring of security logs must be routine and consistent toensure that attacks or breaches are identified quickly.
• Companies should have a password security protocol and itshould be enforced. Employees should change passwords regularly andbe well-educated on the importance of password security, themethods criminals use to acquire login and password information andhow to create a secure password. Two-factor authentication is agreat indicator that a company takes password securityseriously.
• Bring-Your-Own-Device policies should be clear, comprehensiveand carefully enforced.
• Companies should ensure that the connection between networks isentirely secure. If sensitive data is being passed back and forth,make sure both you and your vendor have the capability to properlyencrypt it.
• Adequate firewalls, anti-virus and anti-spam software should bein place and kept up to date. Don't forget the security of physicalterminals — all the data protection in the world is useless ifsomeone can access the system on-site or pick up hardware thathasn't been properly decommissioned.
• There should be a process in place for ensuring that frequentpatches from software vendors are applied as soon as they are madeavailable.

We in the insurance industry have long been advised — and oftenrequired — to vet third-party vendors regularly and carefully. It has nowbecome clear that retail organizations would do well to follow thesame advice.

Related: Cyberattacks are growing threat forretailers

(Photo: Thinkstock)

2. eBay lesson learned: Data protection at all levelsmust be prioritized

A report from the International Business Times following the 2014 attack oneBay's network indicated, with regard to an investigation by therelevant regulatory bodies:

Of particular interest will be the lack of encryption used toprotect customer names, email addresses, physical addresses, phonenumbers and dates of birth. Investigators will also analyze why ittook eBay nearly three months to detect the hackers, how long ittook to fix the breach and how long the company waited to notifyauthorities and customers.

Recent increases in identity theft and new account fraud tell usthat encrypting personally identifiable information can be asimportant as encrypting financial information. Breaches like theone at eBay highlight how difficult it can be to detect attacks ifthe right systems are not in place to make sure relevant data isreviewed in a timely manner. Just like any other business process,log reviews, protocol revisions and security updates can become anautomated part of a company's workflow. Well-thought-out systemshelp to ensure that every feasible measure is taken to protectsensitive information and that new protocols are smoothlyintegrated as new threats arise and new solutions are found.

Cyber crime is advancing quickly. It is imperative thatcompanies move plans for pervasive data security systems from the"intention" stage to the "in action" stage, and quickly.

(Photo: Thinkstock)

3. PNI Digital Media lesson learned:Get the board on board

PNI is a company that operates an on-demand photographicprinting service for CVS, Sam's Club, Costco, Rite Aid, Wal-MartCanada and others. So far, relatively little is known about the PNIbreach, but there has been much speculation as to how it happened,why it was allowed to happen and why it went undetected for nearlya year. We don't like to give too much credence to speculation;however, the theories put forward can give us some insight intosome of the overarching problems of data security, as identified bycybersecurity experts.

When news of the PNI breach broke in July of this year, Brian Krebs noted that the company had been acquired by StaplesInc. around the time that the breach is thought to have beeninitiated. This was worth mentioning because Staples itself hadsuffered a breach in mid-2014 that went undetected for some sixmonths and exposed more than a million customer credit cardrecords. This may or may not stand as evidence that the company isgiving inadequate attention to cybersecurity, but it does seem toindicate that boardroom support for Internet security efforts isone of the problems security experts have identified.

This has been highlighted by the recent breach at Experian that resulted in the theft ofpersonally identifiable information records — includingSocial Security numbers — of 15 million T-Mobile customers. Duringhis investigation of that case, Krebs interviewed several securityexperts who had left the Experian security team specificallybecause the folks at the top refused to dedicate adequate resourcesto securing the credit bureau's extremely sensitive digitalfiles.

Following the massive breach at Target in 2013, similar concernswere raised, and, in the end, the company's chief informationofficer resigned. A new CIO, chief information security officer andchief compliance officer were sought to take her place. Whethermore leadership at the top is a solution to the problem remains tobe determined, but the need for the C-suite to understand and keepa watchful eye on its digital security protocols is becomingclear.

(Photo: Thinkstock)

4 cyber security tips for retailers

Here are four tips for retailers on maintaining cyber security,based on some recurrent themes that have emerged from the retaildata breaches.

>> Educate employees

Cybercriminals have become particularly fond of phishing to gainaccess to otherwise secure networks. With a little social mediaskulking and email contact, they are able to obtain much of theinformation they need to access login and password information thatgrants them broad access to corporate networks. Employees have tobe informed of the methods criminals use to obtain thisinformation. From clerical workers to the CEO, every employee andvendor needs to understand basic preventative measures — such ashow to recognize a phishing attempt or how to create and maintain asecure password — and corporate policy needs to make clear thenecessity of following security protocols.

>> Get help

Another theme that seems to recur in cyber crime preventionconversation is the possibility that data security may be a taskbest left to experts. Even in very large companies that can affordto maintain full security teams, those teams often struggle toacquire the resources they need in a timely manner, because theirsuccess is generally not the top priority for the company. Asecurity agency, on the other hand, relies on this strength to stayin business — this is their core competency. In addition, externalagencies are able to be more objective about how to prioritizesecurity and to draw on a broad range of experience and a muchdeeper well of knowledge.

This is one of the benefits companies seek in migrating to thecloud. A reputable cloud host is well aware that the security ofits servers and its ability to protect the data entrusted to it isindispensable if it is to compete and survive. As a consequence,cloud servers will likely be some of the most secure places tostore data into the future.

(Photo: Thinkstock)

>>Crackdown on cyber criminals

Opinions are divided on whether governments are really in aposition to stem the tide of cyber crime, which is by its natureheedless of national borders. Nevertheless, some experts believegovernments will have to become more involved in the investigationand criminal prosecution of cyber crime. Without such a large,international effort, they say, the cost of securing data andrecovering from attacks will eventually outstrip the benefits ofconducting business in cyberspace. Suggestions include aninternational governing body that would work not only to stopcybercriminals, but also to regulate security measures, requiringcompanies around the world to adopt a universal baseline ofprevention and detection methods.

>>Make individual cyber hygiene ahabit

The time has come for all of us to accept that we have to stepup our personal online protection if we want to keep our financialand personally identifiable information safe from criminals. Justas we once had to accept that we should lock our doors and keep thechildren in the yard, we now have to realize that certaininconveniences such as using a different password forevery online service and storing those passwords in asecure app or, better yet, in our memories, must become a matter ofhabit. Credit card and loan offers that could once be discardedwith the junk mail should be shredded, and credit card statementsneed to be reviewed every month. Individuals have to be morediligent about avoiding emails from unfamiliar addresses orclicking on mysterious links. Even phone calls that seem to comefrom benign solicitors or even familiar institutions like banks andworkplaces may be phishing attempts. 

The more consumers are acquainted with methods to protectthemselves from fraud and identify theft — and the consequences ifthey choose not to — the fewer claims a company has to cover andthe less a store loses on fraudulent purchases that no one — notthe credit card holder, the credit card company nor the credit cardfraudster — is going to pay for. What's more, customers who knowthey have protected themselves will have greater confidence in thesecurity of their information as they venture out to makepurchases. A better informed consumer will always be a benefit tothe market.

The time has come for everyone to recognize cyber crime as aserious threat to economic security for both individuals andcorporations. We may not yet know how to shut down cyber criminalscompletely, but there is a long way to go before we can say that wehave done all we can.

Lance Spellman is the founder and Presidentof Workflow Studios, an enterprise software developmentconsulting company in Dallas, Texas.

_____________________

How can you transform your risk management preparednessand response strategy into a competitive advantage?

Introducing ALM's cyberSecure — Atwo-day event designed to provide the insights and connectionsnecessary to implement a preparedness and response strategy thatchanges the conversation from financial risk to competitiveadvantage. Learnmore about how this inaugural event can help youreduce risk and add business value.