Canadian Retailer - Holiday 2015 - 34

CYBER-SECURITY

ers access to every other system linked to the POS.
Similarly, the interconnectedness of a retailer's head
office network can create other routes for an invasion. A computer in the marketing department, for
example, may have access to other systems and allow hackers working from the inside to infect the
broader network.
Leadership in security

criminal syndicates. If a retailer has valuable information, like credit cards and customer information, they
are a target.
"People believe it won't happen to them," he says.
It's an outmoded idea that needs to change. "After so
many wakeup calls, people don't have the luxury of
being oblivious." This means becoming intelligent
to vulnerabilities to the store's data, an increasingly
valuable asset.
"If I were a retailer," Pozhogin says, "I would try to
learn as many lessons from breaches as possible and
make sure they never happen again."

In the wake of these breaches, many retailers have
appointed chief information security officers (CSIOs)
to oversee the security of the store's information. The
Home Depot, to take one example,
went public with news that it hired "People believe it won't happen to them. After so
Jamil Farshchi as CISO.
many wakeup calls, people don't have the luxury of
Mark Nunnikhoven, vice president of cloud research at Trend being oblivious. If I were a retailer, I would try to learn
Micro, a company specializing in as many lessons from breaches as possible and make
internet security, calls the appointsure they never happen again."
ments of CISOs "a fantastic move"
- ANDREY POZHOGIN, Kaspersky Lab North America
for retailers.
"These roles are all about identiTHE COSTS OF BREACHES
fying security risks," he says. "It's
Stolen personal detail is gold. But how much, in dollars, will the
recognition that security requires
underground economy pay for stolen data?
an investment."
* 5 cents: value of online gaming credentials on the Chinese black market
These new players on the re* $6: value of 300 IP addresses on the Russia black market
tailer scene-a scene that has
become increasingly driven by
* $155+: value of a set of business application account credentials on the
Brazilian black market
data-will work to minimize risks
*
$1,627: combined value of a set of mobile, online shopping account
and reduce the occurrences and
credentials, credit card information and IP addresses to Chinese criminals
damage caused by breaches. As
*
$1,931+: value of a list of landline numbers in Brazil
the digital security experts in the
business, they bring up risks for
Figures in U.S. dollars. Supplied by Trend Micro.
active discussion with executives
and work across the industry to share intelligence Other solutions
and reduce industry-wide threats.
Defining a leadership role for information security
Organizationally, the retailers may struggle to inte- is an important step for retailers who want to avoid
grate the new position into the business. Nunnikhov- seeing their names in print for unfortunate reasons.
en says the impulse retailers have to slot CISOs under Pozhogin says other steps can help reduce the opthe chief information officer may be a misstep for portunity for ever-more sophisticated criminal syndisome retailers. The risk, he says, is that CIOs, who cates to break into the business's computer systems.
traditionally oversee the evolution of the business's
Key among these steps is segmenting networks and
technology, may make decisions based on technology imposing controls over who can access different segneeds, not security issues.
ments of the network. End-to-end encryption for data
"Security risk shouldn't be conflated with technol- should become standard practice for retail businesses.
ogy," he says, and points out that some information Encryption should be set so only people who need to
security risks encompass issues that do not relate dir- access the data can access it. And POS systems don't
ectly with technology. A better approach to this might have to be as connected as they are currently.
be to make CSIOs peers with CIOs. "Loss is loss," he
"Retail networks are so interconnected and most
says. "Should CSIOs be part of loss prevention, or data is accessible," says Pozhogin. If recent history is
legal, or tech?"
an example, situations can unfold where hackers get
What's important for retail as an industry, says Po- inside the network and gain access to huge masses of
zhogin, is that retailers dispel with the notions that unencrypted data. "You can't imagine the scale of the
their businesses might somehow avoid the notice of damage," he warns.

34 |

CANADIAN RETAILER | HOLIDAY 2015

Table of Contents for the Digital Edition of Canadian Retailer - Holiday 2015