Tag Archives: data loss prevention

7 Reasons Why Your Organization Will Need Data Loss Prevention in 2018

As we enter 2018, data loss prevention is becoming a necessary part of business planning, as there just don’t appear to be many industries immune to breaches. 2017 has seen a spate of data loss breaches from not just some of conventional industries such as healthcare, financial services and retail, but also others like automotive, hospitality and even the military, in some cases. Here are some reasons why your business really needs data loss prevention in 2018:

  1. The threat is not just external

There’s a difference between what you see reported in the news media and what is actually happening in the U.S. and around the globe. Statistically speaking, internal threats account for just over half of all data loss. That’s according to an Insider Threats Report from 2017. While it doesn’t pay to solely look at one piece of data, the trend of roughly half of all threats being internal has existed across multiple studies for a number of years.

  1. Financial ramifications can be huge

According to a poll of 1,000 business decision makers, the average cost believed to be incurred from a data breach was around $1 million. Clearly, this depends a great deal on what industry you are in, but it’s something to be mindful of, particularly if your data is sensitive and would be worth something to other people.

  1. Financial ramifications are just the start

Quantifying the consequences of an internal data breach is a difficult thing to do, largely because loss of reputation and trust. Even if your business can take the financial hit from fines and compensation, it also has to withstand what can be sometimes a substantial loss of business. This can be particularly harmful for small businesses who don’t quite have the buffer of the larger, often multinational counterparts.

  1. Big data is here to stay

Companies are now moving to a place where they exist on data, and the growth of the big data industry is proof of that. While sensitive data nowadays often consists of things such as financial details and social security numbers, companies will increasingly find in the future that the data they keep on customers is more sophisticated and personal – and therefore sometimes more valuable to an outsider, which can lead to an internal worker deliberately releasing it.

  1. Thoughts on the Cloud are in the cloud

Most of us are moving to cloud-based computing and SaaS applications as a cost-effective way of storing and using data without having to pay for large builds. However, this also means that a DLP plan needs to be in place to ensure that sensitive data that your company currently keeps in the cloud is encrypted and that its transmission to third parties is prevented.

  1. Intellectual property protection is important to your customers and your business

This can be one of the biggest long-term consequences of data loss. While a breach of personal information about customers can be wide scale in its negative effects, an intellectual property breach is narrow, but incredibly damaging. If your company holds trade secrets, plans etc, either for your business or your customer, it’s essential that these are protected appropriately with a DLP strategy.

  1. Endpoints are increasing

With remote work becoming more and more common, the number of endpoints that data is stored on is therefore also increasing. These can be within your business’ computer network but it can also be outside it, in public places or at home. In these cases, you need a technology monitor that is installed on all of these devices that prevents certain sensitive or confidential actions happening as part of your DLP strategy.

A data loss protection strategy doesn’t have to be an alarming addition to your company’s business plan. However, it is starting to become concerning how many businesses, big and small, are avoiding the need for one of these, given that amount of data we use is growing exponentially. Internal threats can be both malicious and totally by accident, so it’s important to protect your employees, your company and, of course, your customer from the ramifications of data breaches.

The Shocking Facts About Data Loss Protection You Didn’t Know

Data loss is, quite simply, a reality for businesses operating in the 21st century. It is often thought about as caused by external threats such as cyber attacks. But data loss is also caused by internal threats and is often more dangerous as it can affect companies of any size. We’ve rounded up some shocking facts about data loss protection you need to know about:

Over 50% of critical corporate data sits on unprotected PCs

Remote work has only really started to come into its own in the last five years and it is increasing at a truly rapid pace. Unfortunately, businesses do not seem to be ensuring that their DLP and cyber security plans keep up with the way their industries are changing. Personal computers, particularly laptops, but also home desktops possess the same levels of risk when it comes to internal loss of data. 

Small businesses that experience drastic data loss go out of business within a year

Probably the most shocking statistic for SME and SMB owners. The harsh reality is that, if a sufficient DLP strategy is not put in place, you may lose data via internal sources. Sometimes it’s malicious, sometimes it comes from simply a careless click.

Think about your company’s most sensitive data and what its release would mean in terms of a worst case scenario. Would you be financially liable to the individuals concerned? Would it ruin your company’s reputation? Are you likely to be seriously affected if a competitor sees your intellectual property? If the answer to any of these is yes, you should be seriously considering updating your DLP strategy, or implementing one if you don’t have it already. 

75% of all mobile apps fail a basic security test

Regardless of whether you supply employees with a company mobile or if you have a Bring Your Own Device policy, your employees will install apps on their phone.  This is both an internal and an external threat. The employee installs an app on their phone that does not have sufficient security – an internal threat. The levels of encryption that you have put in place can now be breached – an external threat. A good DLP strategy will see that you have buy-in with your employees to ensure that they know the risk of what they are downloading and outline necessary steps and criteria to follow.

Cyber crime damage costs to hit $6 trillion annually by 2021

And cyber crime is reportedly the fastest growing crime in the United States. While this refers to all cyber crime, not just internal data loss, it still sits as an astounding figure. Data Loss Protection strategies work hand in hand with additional cyber security measures. Many of the precautions you take to protect against internal threats will also protect against external threats but it is essential that you address both so that your company does not contribute to this statistic.

Data loss protection is all about managing risk. You can’t eliminate it completely but its important to stay on top of where the trends and technology are moving to ensure that you have your company and its sensitive data covered. These facts will hopefully make you see the huge global impact of data loss and the effect that a well-communicated DLP strategy can have.

How To Know When It’s Time To Upgrade Your Data Loss Prevention Strategy

Tactics that involve prevention and protection always need constant upgrading, changing and reworking. As technology changes and people find new workarounds, so to do you need to continue finding new ways to upgrade your data loss prevention strategy. Obviously, this can be quite time-consuming and costly for small to medium enterprises, particularly, so a sensible approach is to consider when and why you should be looking to improve your data loss prevention (DLP) strategy. This knowledge will allow you to prioritise your company’s resource effectively to help protect against any breaches.

Know the culprit
While much of the attention about data loss points to outside threats from cyber-attackers, it’s estimated that more than 40% of all data breaches occur internally. These can be intentional, but they can also be due to just a careless click of the mouse. Being aware of how your data could be lost, is the first step to upgrading your strategy.

Assess your sensitive information
It’s not entirely realistic for a small or medium sized company to have a mammoth DLP strategy that protects all of the company’s information to a very high level. Nor do most companies want that as it often comes with an increased level of administration that would significantly decrease an employer’s output, were it to be applied to every file in the company.

So, assessing the files that your company has is crucial to know when to upgrade your DLP strategy. The easiest way to do this is to look at the worst-case scenario for each set of files that your company has. If someone were to accidentally send a file to the wrong person, or maliciously release it to the public, what would the ramifications be for your company, both in terms of financial and that of reputation.

Qualification
Then, qualify your data files into groups – high risk, medium risk and low risk. Most companies with internet security and data loss protection strategies will have all-encompassing security that includes all files, even those low risk. It’s the high risk and, to a lesser extent, the medium risk files that you need to have a strong DLP plan around.

It’s also worth being mindful of whether the strategy covers new files that are created. Is there a process that qualifies this data into the ‘risk buckets’ mentioned above? Your DLP strategy is only as good as how it’s being implemented. If you find that there are gaps when you go through the process yourself, it’s time to look at an upgrade.

Accepting technological change
It can be difficult for companies who have invested a great deal in a solution to look at making significant changes to it. Often there are stakeholders or other parties who may not realise the necessity in doing this and therefore the cause also has to be justified.

However, one of the biggest weaknesses of all DLP strategies is that they are reactive. They constantly have to be told what to look for – the kinds of encryptions and data formats, for instance. As we all know, technology is changing and progressing at an unprecedented rate. Because of this, those encryptions and formats are constantly changing and therefore an effective DLP strategy should be updated accordingly.

So, when? Well, the answer is constantly, but the good news is that there are plenty of affordable solutions of technology that can fill the gaps in your DLP strategy, rather than completely reworking the entire thing – an unnecessary exercise. Software such as classification software can help to combat the issue above and only serves to strengthen your DLP strategy in a cost-effective way.

Although it would be nice to have a set of rules in place to know exactly when to upgrade your DLP strategy, such a set of rules would be unrealistic and not flexible enough to take into account all of the changing variables. Instead, an approach that involves a full assessment, qualification and reworking is best when considering an upgrade.

When You Should Switch To Biometrics For Data Protection

Once the territory of sci-fi films and fiction, these days, biometrics are a part of everyday technology. This kind of smart technology is all about using sophisticated means to identify an individual. This is especially relevant for data protection within companies, as it can assist to prevent the loss of data by more effectively assigning highly classified data to a specific individual. This individual can then only access the data using biological characteristics unique to them. What we’ll outline today is what exactly biometrics is, how it works, and when it is relevant to assist with data loss protection, particularly for small businesses.

What is biometrics?
Biometric verification is the use of biological traits to verify an individual’s identity. These traits can be both visible and invisible to the eye. Traits that are visible include things such as a fingerprint, retina or iris size, earlobe shape, and even things such as a person’s posture or the way they carry themselves. Less visible traits include things such as a heartbeat, voice waves, and DNA.

How does it apply to data protection?
Particularly with the advent of cloud-based computing and remote working, biometrics can assist with ensuring that end-point devices stay secure. Mobile devices, such as laptops and phones, are often the culprits from which data is lost from internal sources, either by accident or through malicious intent.

Biometric verification ensures that sensitive information can only be accessed by individuals of your choosing. This instills a greater sense of responsibility in those individuals to safeguard classified information, and also creates a disincentive to releasing the data maliciously. If the files are only handled by a certain number of people who can be biologically identified and therefore caught, it’s much less likely that they would release that data intentionally.

When should you apply it?
Biometrics already exist in many mobile devices, such as smartphones and laptops. This means that generalized biometric technology can be implemented across the board by making smart decisions when upgrading these items as part of your business inventory. By integrating standardized biometrics as part of your data loss protection strategy, you can help to protect data loss, particularly from those who work remotely, but also across the board.

Most companies will have a series of files that are highly classified. Whether these contain sensitive personal information, or if they’re the company’s intellectual property, it is imperative to create much stronger incentives and disincentives against the accidental and malicious release of these files. A good way of beginning to integrate biometrics verification is to start with these files only. Unless you’re a large multinational, it’s unrealistic to think that you’ll be able to fully integrate highly sophisticated technology across the board. Instead, focus on ensuring that that technology goes towards protecting that highly sensitive information that only some individuals have access to.

It’s clear that the days of the password as the only method for authentication and verification are numbered. In order to help ensure full protection against data loss, particularly internal threats, integrating biometric technology is the way of the future. If you’re an SMB or SME, the best way to think about biometric integration is by directing the resource and budget you have put aside for it towards protecting the files that are most highly sensitive, or would have the most negative impact if they were internally released. That way, you can start to test methods of using the technology that work for when the technology becomes cheaper and easier to implement across the board.

 

Enhancing Your Company’s Mobile Security in Ten Steps

Mobile-centric workforces are a present reality, and, more and more, a way of the future. They enable your employees to be anywhere and everywhere, which also means that your company’s precious and sensitive data is moving with them also. So, how to prevent against the threat of data loss from internal sources, both by accident and maliciously? Here are ten easy steps you can take:

  1. Use a lock screen and biometrics technology

Pretty simple stuff but it is very surprising how few companies, particularly SMBs, insist that this procedure is followed by their employees. Preferably employees will have both smartphones and laptops that come with built-in biometrics technology that can identify them through retina or fingerprint verification.

  1. Create a BYOD policy

You may or may not provide employees with devices. If you don’t, it’s important to create a BYOD (bring your own device) policy, where employees follow a procedure on their own devices to bring them up to speed with company security policy. Mobile device management platforms are a great way of implementing these. These procedures should also give you the ability to wipe their phone data remotely in an emergency situation.

  1. Purchase unlimited data contracts

This might not always be possible with budget constraints, but it is the most effective way of preventing employees connecting to unsecured Wi-Fi networks when they are in public places.

  1. Encrypt, encrypt, encrypt

The more you can encrypt the better to prevent ‘leaky’ code or to help prevent data being revealed if it is leaked by accident. File-level encryption protects data on a file-by-file basis, and key and certificate management is also highly important to protect.

  1. Strengthen passwords

Many employees still use old and unsafe passwords, merely because they’ve never been reminded to update them. As part of company policy, ensure that all passwords have to be of a certain strength and changed on a regular basis. This will help against the threat of data loss protection, not only from a mobile security standpoint, but also within the office.

  1. Testing

Ideally comprehensive testing will be included in the network security firm who puts together your mobile security package, but you should also be testing yourself to find any cracks. Upon initial implementation, encourage employees to ‘break the system’ with unclassified information. When the people who will be using the mobile systems are able to get around the technology at the very beginning, it’s likely to happen again and therefore needs to be fixed.

  1. Device protection

More relevant for SMBs with BYOD policies, ensure that the devices used are not jailbroken or a rooted device. This removes the in-built security measures that come with smartphones, which are fairly sophisticated and help to complement your company’s own security policies.

  1. Mobile app choice

When downloading any app on a phone, for both personal and professional use, it’s important that employees don’t download apps that could compromise data protection. Ensure that employees view the download of apps the same way that they view downloading foreign files, or opening spam emails – with caution.

  1. Inform your employees

Further to this, it’s helpful to inform your employees what potential threats could look like. While these are technically external threats, you can reduce the internal threat of employees clicking on harmful phishing links by educating them that these could come from banks, tax departments, the Board of Directors, and what to do if they’re unsure.

  1. Update the technology

Software updates for laptops and mobile devices generally include a large number of security patches and updates. Ensure that you and your employees are as protected as you can be by updating as soon as the notification comes through.

Many employees don’t have any intention of leaking a company’s sensitive information, they are just totally unaware of how they are inadvertently doing it. Creating a workplace where employees are taught to view mobile security as an important part of their job, whether it’s disconnecting from public Wi-Fi areas, or strengthening passwords, it helps to educate and empower them to start taking mobile security into their own hands. This, combined with mobile device management platforms that help to protect against internal loss that occurs intentionally, will ensure that your company has a solid mobile security policy.

The Top Data Breaches in 2017 – And It’s Only August

Since January 1 2017, there have been approximately 156,000 data records breached where the disclosure was unintentional or a malicious breach from an insider. These are breaches in all industries, to all kinds of individuals, and all sizes of companies. To put it in perspective, that’s roughly 867 records breached every day, or nearly two records every three minutes. We’ve rounded up the top data breaches for the first half of 2017. Prepare to be unsettled.

Registered voters in America
198,000,000 Americans registered to vote had their personal information exposed in late June this year. The firm responsible, a Republican data analysis company, Deep Roots Analytics, has taken full responsibility for the situation. Included in the breach was basic information such as voter’s first and last names, birth dates, home and mailing addresses, phone numbers, registered party, self-reported racial demographic and voter registration status. Alarmingly, a voter’s likely stance on abortion, gun control, stem cell research and environmental issues was also part of the breach. Fortunately, it appears that only a single Cyber Risk Analyst from another company was able to access the 1.1 terabytes of entirely unsecured data and was able to alert authorities in time.

Educational records at the University of Oklahoma
Also in June, the University of Oklahoma has been found to have violated federal law with their lax privacy settings across their campus file-sharing network. 29,000 educational records were accessed by email users on the system. These records included social security numbers, financial aid information and grades in records dating to at least 2002. The files have now been safeguarded but each breach could constitute a violation of the Family Educational Rights and Privacy Act.

Email addresses of US corporates
Just under 33.7 million unique email addresses were leaked in March this year. The company responsible, Dunn & Bradstreet, is a business services company so, at 30 million, the records represented a large chunk of the United States corporate population. This is the data that can be bought and sold – it’s unknown what the market rate would be, but it is reported that it can cost up to $200,000 to access just half a million records. The largest organizations affected include the Department of Defense, other armed forces, AT&T, Boeing, and the United States Postal Service. Interestingly, it remains unknown how the breach occurred, other than it was internal, although Dunn & Bradstreet stated it was not released through one of their systems.

Thankfully, many of these data breaches were eventually picked up by security companies monitoring for data exposure before the data could get into the wrong hands. While these are three of the most significant data breaches to happen this year, there are tens of thousands more where companies have had their data exposed through internal sources, either with malicious intent or by total accident. Companies that lose data through their own negligence, or lack of correct privacy procedures, can face legal action and be forced to pay damages to the individual’s affected. A data loss protection strategy is essential for a company of any size. It protects the individuals whose data is owned by the company, and it helps protect the company from the ramifications of any internal losses.

How to Use Prioritization to Enhance Your Data Security

Data loss prevention and data security can sometimes feel like a daunting and money draining task, particularly for SMBs. But cyberattacks and loss of data can be some of the biggest risks an organization can face in this modern-day climate. Companies don’t need to be big-name enterprises with large IT departments in order to operate as a top-performer in data loss prevention. When it comes to protecting companies and individuals from data loss, prioritization of data protection is key to successfully managing security, while still operating a well-running company.

  1. Knowledge is power

There are many studies that suggest that around one third of all companies lack sufficient policies for data encryption, classification and security. Knowing the risk and how your company might be affected is the first step towards data security.

  1. Consider the options

What is actually realistic for your business? While it is tempting to get caught up in the sophistication and benefits that some of these security systems hold, it’s important to prioritize what your company really needs for full protection. Extra benefits are nice-to-haves, and most security companies will scale plans up and down, so these can easily be considered once a working plan is in place.

  1. Learn about your company’s data

Back to the first point, knowledge is power – in order to be able to optimally prioritize data for security purposes, you need to know about your company’s data. What it does, who uses it, and how it moves around your computer systems. Depending on the size of your company, there are some mapping tools that can be put into place to assess this but you should also be looking for a general feel. In addition to the sophisticated software that’s out there, there’s an element of common sense to data security – if you think data could escape a particular route, it probably can.

  1. Top down data prioritization

Once you know the ins and outs of your company’s data, it’s important that you begin to assess the risk that a breach in data security poses for the different kind of files your company possesses. The higher the risk, the more priority needs to be given to ensuring that the data security around those files is impeccable.

  1. Balance it out

Bear in mind that often the more security and process you place around data, the more administration you are placing on your employees. Policies and verification processes all take time, and this adds up if it is manual time on each and every file the employee is using. Consider the effect that the loss of a particular piece of data will have on your company if it is released from your secure system. If the consequences are not high, and it’s much more effective for your business to run efficiently without cumbersome processes around those files, then go with that.

Prioritizing the kind of security that you employ to protect your company, and how you implement it, can sometimes mean the difference between being able to install security and data loss prevention plans in your company, or becoming like the one-third of businesses that have not done so. With these simple techniques, you should be able to efficiently breakdown and prioritize how to effectively go about protecting your company through data security.

Why a Data Breach Could Change Your Life – And What to Do About It

data loss preventionThe sensitive information of individuals is big business in the criminal world. An individual’s medical record can collect up to $50 on the black market, 50x that of a credit card record, and that’s before money has been elicited by using the record itself. Data breaches aren’t just confined to medical and financial though, in the modern world we are seeing trade secrets, intellectual property and other identification information being viewed or stolen by unauthorized individuals. Data breaches can dramatically affect your life, both as an individual citizen, but also as an employee or business owner. Fortunately though, there are ways to protect yourself.

Getting down to business

From a business perspective, data breach can be hugely damaging, to a company’s reputation as a whole as well as the consequences of what that data breach will bring. Particularly for companies that trade in knowledge sectors, data breaches can have hugely impactful and long-lasting effects if intellectual property or trade secrets are obtained by an unauthorized source. Companies have seen their long-term earning capacity significantly reduced, or even wiped out, from data breaches.

While the media generally highlights data breaches that happen on a mass scale to large and well-known brands, it is small to medium enterprises that can be hit hugely as their technology and processes are often not strong enough. Some studies suggest that almost 30% of SMEs have no plans in place to deal with security threats.

How to turn things around

A data breach response plan is crucial to maintaining the safety of your business. Sometimes it’s helpful to think about the digital risk of a data breach in the same way as a physical risk to your company, such as fire or theft. No company would operate without basic policies around high-risk areas, and data breach should be considered in this group.

A good data loss protection plan and state-of-the-art security will equip your company with the right tools and software to protect against ransomware, and inadvertent loss of data. But a truly great data loss protection plan is one that pre-empts the catastrophe by ensuring that all employees understand the level of risk associated with a data breach and are committed to putting in place best data loss protection practice in order to minimize the risk.

On an individual level

Whether you’re a business that holds sensitive information regarding individuals, or from an individual perspective, it is important to know the risks associated with having your personal data compromised. Of course, the consequences of stolen financial and medical records are fairly evident, but with the rise of sophisticated ransomware and malware techniques, criminals can embed themselves on your computer and commit serious crimes identity theft that you may not even be covered by in your insurance.

What to do about it

Firstly, look into how you’re currently protected on an insurance and a digital level and make the appropriate changes. Contact your bank and talk about options to protect your credit card online and fully understand their policies if your details are compromised. Shop around – protection isn’t standardized and different financial companies will offer different types of protection. That goes for your medical insurance also, contact your provider and get a clear understanding of what will happen if there is some kind of breach.

Then it’s time to look into your cybersecurity. Cyber criminals have gone from strength to strength in recent years so it is imperative to update your security and ensure the settings don’t ever have it sitting in an idle state. It’s also an excellent idea to look into password storage facilities like LastPass that enable you to have a different password on websites, particularly those you are sharing sensitive information with. Opt for a two-step verification process on any website that has it and use different security questions on different websites, where they are offered.

Data breach can have far-reaching and long-lasting effects on both individuals and companies. Put simply, the only way to combat this kind of criminal activity, as a citizen and as an SME or SMB, is through protection. For businesses, this involves a strategic data loss protection plan, as well as a crisis management plan if the worst happens and sensitive information, particularly that of individuals, gets into the wrong hands. For both businesses and individuals, computer security and prevention techniques when it comes to websites where your data could be compromised, are essential to mitigating the life-changing risk of a data breach.

Top Breaches in Retail in 2015 -2016

This week, we will continue with the topic of data breaches in retail.

Study Findings

A study on data breaches in retail, conducted by Vormetric, revealed the following key findings:

  1. 93% retailers believe that their organization is susceptible to insider threats.
  2. 48% retailers have either had a data breach or did not meet compliance audit in the last one year.
  3. 77% retailers said that “diligently following up on compliance requirements and making implementation of those requirements mandatory” can easily thwart insider threats.

Examples

In order to emphasize on the vulnerability of retail to data loss, let us look at four examples where sensitive information was compromised because of a breach (caused by external and/or internal factors).

  1. Target – Although this incident impacted Target retail stores in November-December 2014, it is worth mentioning as it has been deemed as one of the most expensive breaches in the history of retail industry. Almost 70 million customers had their personal and payment card information stolen. The hackers had installed malware software on POS terminals. The breach cost Target more than US$ 3.6 billion.
  1. CVS/ Walgreens – July 2015 saw a credit card breach where CVS, Walgreens came into the grip of malicious hackers. The pharmacies had to halt their online photo service in the wake of credit card theft.
  1. CVS – In July 2015, a pharmacy technician passed about 100 customer records between May 2013 and April 2015 to her property manager, who in turn, used this unauthorized information to apply for loans and credit cards.
  1. Bed, Bath and Beyond – In September 2015, the retailer reported that an employee had stolen some customers’ credit card information with the intention to misuse it.

Reasons Why Retail is Different

There are many reasons that make retail different from other sectors, which also results in the need to implement a unique vertical-specific solution rather than a cookie-cutter solution.

  1. Volume of Credit Card Transactions

In retail, majority of payments are conducted using credit cards, making the sector highly vulnerable to breaches.

  1. High Employee Turnover

Retail has a very high employee turnover. Employees fall into various categories – part time, full time, seasonal – and keep on moving quickly between departments, locations and across other employers. This makes employee training and monitoring very challenging, resulting in higher risk of breaches by insiders intentionally or accidentally.

  1. Physical Security of Payment Endpoints

Access to payment endpoints is easy, whether it is POS at stores or gas pumps. There are devices available that can be used on these payment terminals to capture sensitive credit card data.

  1. Multiple Locations

Large retailers have stores across various locations. More the number of locations, higher is the cost of implementing security measures.

  1. Speed of Responsiveness

In retail, a key measure of customer satisfaction is speed of responsiveness. Retailers face a very tough competition and are always on their toes to provide a very fast and satisfying service. Any kind of online authentication can easily slow down the process, tempting customers to cross the bridge to other retailers.

  1. Working with Third Parties

Retailers work with a number of third parties. A lot of these third parties manage sensitive data after uploading it to their own network. This raises the risk of data breach.

Conclusion

It is essential that retailers be cautious and take proactive measures to safeguard sensitive customer data stored on their or third party networks. Loyal customer relationships are built on trust. Implementing best practices that enhance this trust will go a long way in customer satisfaction and retention.

Retail Data Breaches – Lessons Learnt


For the past couple of months we have been talking about data breaches across different sectors, their implications and best practices that can be implemented. In this blog, we will talk about retail.

Enhanced Digital Experience Drives Need for Enhanced Data Security

While the percentage of breaches in retail is low as compared to other sectors (as per Verizon, 1 in every 13 breaches is in retail), the cost of breach per record is very high. This is because a standalone breach in retail can account for thousands of accounts being comprised.

Retail is at the forefront of implementing customer-facing digital applications. As retailers create a seamless customer experience through an omni-channel strategy, the threat to data loss either because of employee error or malicious intent, or because of external factors such as hacker, malware etc. is also increasing. Another type of breach that retailers face is Denial of Service (DoS), which can heavily harm goodwill of the company. In this kind of breach, hackers overload the server and explicitly force the website to go down due to overloading.

While regulatory requirements have been set up to ensure organizations that process sensitive personal or financial information are in compliance, the threat from newer sources and methods is always there. According to IBM, the cost of breach per record in retail is US$ 165. Retailers not only have to pay a heavy price for these breaches in terms of penalties, but they also face the imminent threat of losing their loyal customers to competitors.

Best Practices in Retail for Proactive Data Loss Prevention

Zecurion recommends the following best practices that retailers should implement to thwart data loss threats from their endpoints, servers and networks:

  • Invest and install comprehensive data loss prevention solutions, developed from the ground up, rather than piecemeal solutions. The former provide more robust security features against internal and external threats of data loss
  • Involve end-users of technology in purchase decisions. Getting their feedback on issues they face helps identifying the right need and the right security solution that users are more willing to adopt
  • Educate the staff and conduct regular training sessions on data access policies. Make sure employees are aware of roles, restrictions and permissions assigned
  • Keep firewalls, anti-virus up to date. Make sure that there is no obsolete software running and all updates are current
  • Encryption should be the rule of thumb when exchanging any classified information. Two factor authentication comes very handy in high data volume environments
  • Secure the connection between networks and monitor endpoints regularly
  • Follow strict regulations and policies for Bring Your Own Devices (BYOD)
  • Generate awareness about POS RAM scrappers. These scrappers are used to steal data from infected POS machines. They can be easily installed remotely and the payment card data can then be reproduced within minutes, paving way for fraudulent transactions
  • Implement policies around safe removal of POS machines so no data can be misused
  • Set up regular checkup of POS machines to ensure there are no skimming devices that have been installed to get the payment card information
  • Implement and test a robust post-attack mitigation plan in case a breach does happen

It is worth mentioning here that the National Retail Federation has been actively campaigning for “Chip and Pin” cards. Payment cards have all the sensitive data stored in a microchip, with nothing embossed on the card. A “Chip and Pin” card will require a secret number to get approved instead of a signature. The requirement of having a pin number will aid in countering a lot of breaches, especially in case of stolen cards.

The “Chip and Pin” cards are in practice in other countries but are still not available in the US. While the initial set up cost for these kind of cards may be high, the security benefits offered will still outweigh the risk of a large data breach.