Guardians At The Gates: Higher Bars Being Set for Securing PPI As Retail Sales Surge in 2019
By: Ali Gomulu
It’s official: Cyber Monday online sales hit record $9.4 billion, according to data from Adobe Analytics. And so far, holiday shoppers have spent $81.5 billion online between Nov. 1 and Dec. 2, also according to Adobe.
Black Friday sales also reached record levels, according to Salesforce, which tracks revenue from more than 500 million shoppers in 30 countries. 2019 Black Friday saw $7.2 billion in digital sales in the U.S. alone, up 14% over last year.
Brick-and-mortar sales were also up 4.2% over last year, according to an annual holiday spending report from First Data (the payments giant which is now part of Fiserv).
In total, we’re celebrating over $100 billion in sales, so far this holiday season – and that means more transactions that include sensitive and private consumer information being shared, along with strategic data valuable to retail competitors.
Online businesses operate in an increasingly competitive environment, and with the fusion of digital and physical commerce (with mobile shopping apps, mobile payments apps, beacons to guide shoppers, and “buy online, pick up in store”), retailers and e-commerce marketplace companies have an even greater responsibility to ensure security and privacy.
Customers and consumers expect fast, reliable, and efficient services, but regulators are committed to ensuring protection, by adding new regulations, including the Payment Card Industry Data Security Standard (PCI DSS), which adds more complexity and cost to comply.
In addition to protecting private data and corporate information, the networks that support online and in-store commerce also need high quality, uninterrupted service continuity and secure communications – and if network infrastructure is not protected against intentional or accidental threats, every second of downtime can result in millions in lost revenue and damage to reputation.
The Payment Card Industry Data Security Standard (PCI DSS) in the U.S. requires the presence of a firewall and establishes a framework for best practices and standards that help build and maintain confidence.
European regulations on personal data protection, General Data Protection Regulation (GDPR), impose significant constraints regarding the management of your data, including systems designed for confidentiality, storage location, data retrieval and recovery rights.
While firewalls, intrusion detection and prevention are table stakes, Privileged Access Management (PAM) is fundamentally important to secure valuable assets, data and reputations.
Websites and mobile applications are the preferred attack vectors used by hackers. Protecting servers and web applications can be made much stronger with PAM.
Privileged Access Management (PAM) is a cyber security domain within Identity and Access Management (IAM) that focuses on monitoring and controlling privileged users and privileged accounts within an organization.
In every large retail and ecommerce organization, privileged users have access to IT and network infrastructure for operation and administration purposes, as well as access to sensitive information, including customer records, employees’ payroll and financial records.
Sample privileged users are:
- System, database and application administrators who have continuous and unrestricted access to a broad range of assets
- Help desk agents who have restricted access to a broad range of assets
- Business Application (e.g. ERM, Salesforce) users or users of an organization’s social media (e.g. LinkedIn, twitter) accounts
- Nonemployees, such as vendor support, consultants, contractors
Privileged users can access retail and ecommerce critical systems, resources and assets using privileged accounts. These accounts include local and domain administrative accounts, service accounts, emergency accounts, application accounts, and are referred to as “the keys to the kingdom.”
They are primary targets of both external and internal malicious users and have been used in successful attacks to gain access to an organization’s critical systems and resources, resulting in data breaches or service outage that have material business impact.
PAM solutions provide monitoring, auditing, tracking and authentication controls to prevent unauthorized access to critical systems and privilege misuse. Common capabilities are:
- Privileged Account Management (e.g. discovery of system/service accounts, securely storing and randomizing such passwords, including making them invisible to users)
- Event logging (e.g. access requests, logins, added/deleted users or systems)
- Session recording (e.g. video records of sessions, key stoke logging, command logging)
- Least Privilege Management (who can access which systems and under what restrictions)
- Integration with Enterprise Applications (e.g. Active Directory, Asset Inventory, IT service management, 2-Factor-Authentication)
- Emergency/break-glass access
- Audit trails and reports to meet regulatory compliance mandates
As the shopping season continues to flourish, it’s important to invest in ensuring the revenues and profits derived are not at risk, and adopting a modern PAM solution, like Ironsphere’s, may be the best holiday deal yet.
Corporate information security governance is a foundation upon which organizations can build an increasingly significant part of their overall risk management platform. The foundation of a successful security governance program begins with strong upper-level management support, including the CEO, Chairman and Board Members.read more
Third-Party Vendors are a Cyber-Criminals Dream; Don’t Leave the Front Door Unlocked and the Windows Open
Third-party governance and risk management has become increasingly difficult as more and more storage and compute are being done across multiple clouds – private, public, hybrid and multi-cloud environments.read more
Data Privacy Day is held on the 28th of January every year, and is designed to raise awareness among businesses, governments, and other organizations on not only the right to privacy, but the responsibility associated with protecting the data of customers, citizens and consumers.read more