i3 - September/October 2016 - 26

6.4%

Motivations Behind Attacks
June 2016

15.5%
69.1%

● Cyber Crime
● Hacktivism
● Cyber Espionage
● Cyber Warfare

(Source: Hackmagaddon)

Hexis Cyber Solutions Inc., a cybersecurity technology provider, identifies four reasons why retailers are such lucrative
targets:
● Desirable data, especially personally identifiable information
(PII) and purchase tracking behaviors.
● Easy access, since retail stores are open to everyone, thus allowing hackers into proximity of point-of-sale machines (POS),
ecommerce nodes and networks (unlike offices with restricted
entry policies).
● Untrained staff who use POS equipment, sometimes to surf
the Web or access email without understanding the threats
they're introducing into the network.
● A complex payment ecosystem involving card readers, databases
and connections to financial networks via multiple devices with
varying levels of protection.
"Retailers can't control every aspect of their processes,
which are often the source of the breach of their own data,"
Hexis explains, noting that 70 percent of attacks against
retailers came via POS attacks, according to a 2015 report.

NOT JUST BAD NEWS
Since they are so exposed to cybercrime, retailers are at the
forefront in the cybersecurity wars. Fueled by high-profile
intrusions into Target, Home Depot, eBay and other merchants' customer credit information, the retail industry has
been aggressive in their fight against cybercrime. BDO USA,
LLP, a consulting and research firm, in its 2016 Retail Risk
Factor Report, says that for the first time in the report's history,
"risks associated with data privacy and security breaches were
cited by all retailers" it surveyed. The only topic that matched
their focus on cybersecurity was concern about "general
economic conditions."
The BDO report cited "new and evolving data privacy regulations that place pressure on retailers to correctly implement
new systems and ensure robust protective frameworks." And it
commended retailers for establishing systems to handle "risks
associated with cyber and privacy regulations." BDO's survey
found that 70 percent of retail chief financial officers expect
cyber regulation to grow in 2016.
The onslaught of attacks has triggered widespread responses.
Retailers are building an arsenal of protective procedures to
fend off the cyber assaults.
The focus "is shifting from security to risk management," says
26

SEPTEMBER/OCTOBER 2016

Mantha of Deloitte. He points out that experience is teaching
companies to understand "the cyber risk landscape" and identify
sources of threats. They are asking questions, Mantha says, such
as, "Who could come after me?" and "What could they do to me?"
"That will show you where you need to focus," he says, noting that
such examinations can help a retailer understand the weak points
in a system, such as user IDs, passwords and unsecured networks.
"Cybersecurity is expensive," Mantha adds, advising that the cost
is vital for protection and urging that retailers place it at the top
of their essential operations. "Think of your resilience strategies
in a broader ecosystem. Organizations should be able to adapt to
change. That is easy to say but often hard to execute."
He emphasizes that a cybersecurity plan "requires internal
cooperation among all groups and functions" and that it should
be a fundamental "goal for top executives."
NRF's Litchford also emphasizes risk management, noting
that his organization's IT Security Council (220 senior security
professionals who are collaborating on
cyber intelligence projects) is developing a
new risk management assessment tool for
retailers. For individual stores and chains,
"it comes down to the size of the tech IT
group and available resources to commit
to security," Litchford says.
"Many retailers are implementing multifactor authentication for their privileged
accounts and third-party access to sysTom Litchford, NRF
tems," he explains. He also recommends
that expanded use of EMV (the Europay/
Mastercard/Visa fraud-reduction technology) should be adopted
by smaller retailers. Litchford optimistically credits increasing
use of point-to-point encryption (P2PE), which is replacing endto-end encryption as a payment security solution.
Meanwhile, more tools are emerging. For example, Qkey, a
CES exhibitor, has developed a chip-and-PIN device to secure
online transactions, including personal information. The Qkey fits
into the USB port and uses multiple security layers and a private
shopping browser that eliminates the need to key in information
that is vulnerable to hacking.

October is
National Cyber
Security
Awareness
Month For the 13th

year, the U.S. Department
of Homeland Security and the
National Cyber Security
Alliance are celebrating October

as National Cyber Security Awareness Month (NCSAM). NCSAM
2016 marks the sixth anniversary
of the "STOP. THINK. CONNECT."
campaign to encourage consumers, businesses of all sizes and
educational institutions to ensure
that their online usage is safe
and secure. This year's NCSAM
agenda will focus on a different
cybersecurity issue each week.
I T I S I N N O VAT I O N

PHOTOGRAPH BY DAVID BOHRER

9.1%

i3 - September/October 2016

Table of Contents for the Digital Edition of i3 - September/October 2016