Risk Management for Retailers: Why The Best Defense is a Good Offense



By: Orhan Yildirim

The International Risk Management Institute (IRMI), defines “cyber liability” as “an insurance policy designed to provide coverage for consumers of technology services or products.”

Retailers invest in this form of business insurance to address liability and property losses that result from digital platforms and transactions, for example e-commerce sales, recording contact center conversations, and interacting within physical “bricks and mortar” stores with mobile apps.

It is increasingly obvious that any business or organization that leverages the Internet is at risk of attacks that could result in a data breach, in the capture and criminal misuse of private information, or can even completely take down the digital systems upon which these entities rely.

What may not be as evident to these enterprises as it should be is that the number one risk when it comes to retail breaches comes from within, not from outside. Disgruntled or former employees or partners, left with unmonitored and unchecked access, can affect massive breaches. While few retailers wish to reveal lack of internal controls, experts in the UK, where the retail sector is thriving (with a massive £3.5 billion of retail sales, adding up to 5% of total UK GDP), strongly urge retailers to go beyond the standard firewalls, anti-virus software and traditional perimeter security, and focus on what they say is the weakest link in the corporate security chain – human beings, rather than technology.

The British Retail Consortium helps retailers address internal threats, whether those which happen as a result of an innocent employee being manipulated by criminals to get access to corporate systems, or a disgruntled or nefarious IT employee, by protecting all access points into computer systems and networks, including  POS systems, wireless networks, removable storage (USB devices for example), software systems including ERP and CRM, communications networks, databases and mobile devices.

In one of the most well-known breaches in the industry, retail giant Target paid out $18.5 million in a multistate settlement to resolve state investigations of the 2013 cyber-attack that affected more than 41 million of the company’s customer payment card accounts.

The investigation of that breach determined that cyber attackers gained access to Target’s computer gateway through credentials stolen from a third-party vendor. Using those credentials, the adversaries gained access to a database, installed malware on the system and captured full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data.

Target provided free credit monitoring services for consumers affected by the breach, and further, as part of a $10 million class-action lawsuit settlement reached in 2015, the company agreed to pay up to $10,000 to consumers who proved personal losses from the data breach.

Terms of the agreement required Target to:

  • Develop, implement and maintain a comprehensive information security program
  • Employ an executive or officer responsible for executing the program
  • Hire an independent expert to conduct a security assessment
  • Maintain and support data security software on the company’s network
  • Segregate the cardholder data from the rest of the network
  • Take steps to control network access, including password rotation policies and two-factor authentication.

In short, risks to retailers are vast and expensive. A Privileged Access Management (PAM) strategy put in place with strong policies, automation of password changes, recording of all activities, and more adds a layer of protection that reduces risk, protects reputations, and builds confidence in consumers.

As the retail industry continues to grow – to record levels in this 2019 holiday season – the incentive to steal and abuse data only grows. Privileged Access Management is mission critical for all industries, but it is especially important for the retail industry, given consumer trust.

PAM protects all sensitive assets and allows retailers to know precisely who has access credentials to which systems, and in the case of Ironsphere’s modern and market-leading PAM, to monitor, record and automate activities by privileged users.

Ironsphere’s solution addresses increasingly stringent regulatory controls, including GDPR, ISO 27001, PCI-DSS, and more.

Learn more about our PAM solutions here.

Similar Blogs

Enterprise Risk Appetite Frameworks Should Include PAM

Enterprise Risk Appetite Frameworks Should Include PAM

Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”

read more