With Cyber Threats on the Rise, Retailers Require Robust Data Breach Response Methodologies to Mitigate Risk

Retailers have woken up. Over the past 12 months, a surge in large-scale data breaches and new threats targeting web-based platforms and point-of-sale systems have thrust the issue of cybersecurity into center stage. From Target, to Neiman Marcus, to eBay—and most recently, Supervalu—major corporations have been left reeling from the aftershocks of pervasive and costly breaches that have compromised their operations, their customers’ trust and their bottom lines.

The full scope of the issue is hardly limited to the recent headlines: Verizon reported that there were a total of 467 cybersecurity incidents in the retail industry during 2013, with point-of-sale (POS) system intrusion and web application attacks comprising the most common varieties. Realizing the gravity of these threats, a full 90 percent of retailers noted cybersecurity as a risk in BDO’s 2014 Retail RiskFactor Report.

Key Elements of a Data Breach Response ProgramThe response across the industry has been significant. In the last several months, the National Retail Federation (NRF) launched its Information Sharing platform for retailers to provide real time updates and analysis on emerging cyber risks. Meanwhile, individual retailers—including Nike, Gap, Walgreens and Lowe’s—have joined forces and launched the Retail Cyber Intelligence Sharing Center for the same purpose. Still, while these collaborative efforts help companies stay ahead of threats, they alone are not sufficient. To successfully protect their brands, assets and customers, retailers need to double down on securing their platforms through diligent conformance to internal practices and industry recommendations.

The unfortunate reality is that the retail industry, by its nature, is a vulnerable—and therefore, attractive—arena for cyber criminals. With billions of annual transactions and POS systems that are often outdated and inadequately fortified, cyber attacks in the industry are prevalent and costly occurrences. As was exemplified in Target’s massive data breach in 2013, a single attack can expose millions of consumers’ credit card and other personally identifiable information (PII). As such, POS systems warrant the same level of protection—if not more—as other enterprise systems.

Given the prevalence of attacks in the industry and the increasingly sophisticated nature of cyber threats, it’s more important than ever that retailers secure their systems with robust, carefully designed protection plans. However, security itself is not sufficient; even the most advanced protection plans cannot completely safeguard against threats. In order to act quickly and minimize damage if and when an attack does occur, companies also require actionable, nimble and tested data breach response programs. With that in mind, here are several best practices and procedures to consider when developing these response protocols.

Developing a Response Program
Pursuant to the methodology outlined in the National Institute of Standards & Technology’s (NIST) Cybersecurity Framework, we recommend that the development of a data breach response program include the following broad steps:

1. Identify priorities, response committee and scope of the program.
During this first step, retailers should identify where sensitive information resides throughout the organization. While it’s of the utmost importance to respond to attacks that threaten POS systems, it is just as important to identify all locations where PII and other sensitive data reside. The identification of PII storage throughout the organization helps to later prioritize response needs. If a company is unable to locate sources of PII that reside outside of POS systems, it is more difficult to effectively respond to an attack. The initial phase also involves creating a response committee that is committed and focused, as well as a program structure that is organized and clearly defined.

2. Understand the organization and its level of cybersecurity awareness.
From the outset, it’s critical that the organization as a whole is aware of the cyber-related risks it faces. In order to boost awareness and garner buy-in for a revamped data breach response program, it’s important to educate executives, business units and key team members about the associated risks of not moving forward with the program.

3. Assess the current state and identify the future needs of the organization’s program.
The assessment of the current and future data breach response states provides a foundation for the next several steps. To more thoroughly understand your current state and define your future state, the NIST’s Cybersecurity Framework Implementation Tiers can be a useful tool. Most retail organizations will likely fall within Tier 3 or Tier 4 given their requirements to protect individual privacy. This well-structured guide can help uncover shortcomings in the overall cybersecurity program, which can help leaders communicate the need for improvements throughout the organization.

4. Once program gaps are identified, set priorities and budget to address and resolve them.
With the initial program evaluation complete, develop a set of priorities to address gaps and budget constraints, including considerations around insourcing and outsourcing options. If the team chooses to outsource certain response functions, evaluate past experiences of consultants or vendors and their rapid response capabilities. It is also critical to understand what information may be subject to off-site analysis and how much information actually needs to leave the premises during a response.

This phase helps lay the groundwork for your response action plan. As you go to develop and test your plan, aim to accomplish these key criteria:

  1. Design a plan that promotes and assigns accountability during the response period;

  2. Ensure the response team has adequate staff or outsourced capabilities to fully investigate intrusions;

  3. Develop a remediation plan that can occur simultaneously with the investigation to ensure that the breach is contained as quickly as possible; and

  4. Ensure the cybersecurity team is fully capable of getting systems back online as quickly as possible.

With a committed team and a robust, carefully designed program in place, retailers can be well-prepared to quickly and effectively respond to cyber attacks if and when they do occur.

This article was featured in the Fall 2014 Consumer Business Compass Newsletter.