Canadian Retailer - Fall 2016 - 40

LOSS PREVENTION

"significant real-world data"). While
American companies in 47 states
are bound by mandatory reporting
provisions, Canada has no such
laws in place, and as O'Keefe and
Wisniewski explain, this means
breaches often go unreported.
"Every time I see someone report a number, I get really upset,"
Wisniewski says. "I'm going: 'That's
not true'. The truth is, people haven't
been reporting these things. I'd love
to be able to answer that question.
It would be incredibly useful data to
have. You see companies not reporting this information for a variety of
reasons, and because they're not
reporting, we can't learn from their
mistakes. What hit one organization then targets 100 others."
The reasons for keeping quiet
about such incidents can be numerous: reputation, worries about
plummeting stock price or customer backlash, fear of lawsuits.
However, attacks can also go unreported even within an organization-sometimes for weeks
at a time. Because, as Wisniewski and O'Keefe are quick to
point out, most attacks on businesses are made possible due
to human error.
"If you look at all of the breaches that have taken place in
the last few years, they have one thing in common," O'Keefe
explains. "The Human Element. The breaches have all been
as a result of a person in the organization who has failed to
meet all of the standards they have put in place. Somebody's
been let in through the back door, someone has given out their
password, or left their system unlocked. Somebody did something wrong, and hackers thrive on people being people."
"It's much easier to attack humans than computers," Wisniewski agrees. "Every day that goes by, our computers and devices
are getting more secure. You get an iPhone update once a month,
a Windows update once a month, a Chrome update three times
a month. Virtually all of the major breaches you've seen over
the last few years-Target, Sony, all these big names-all of them
pretty much started with a human opening the door."
And while large retailers are usually capable of weathering
the storm, smaller businesses often aren't so lucky.
"As a big retailer, you can probably survive. It might actually make you more secure," Wisniewski says. "You can change
policy, and bring in a crack security team. But if you're a small
business, you just go bankrupt. Pretty much every time. Any
small business I've seen that's had any breach I'd call significant, it's often a business-ending event."

40 |

CANADIAN RETAILER | FALL 2016

Fighting back

Luckily, there is no shortage of tools retailers can use to help better safeguard their business against cyberattacks. In Canada, PIPEDA
(the Personal Information Protection and Electronic Documents Act), was enacted in 2000 to
better protect consumer information. Chip and
PIN technology and mandatory PCI Compliance help keep payment information secure.
But, outside of a legal or regulatory framework,
there are plenty of things that IT and LP professionals can do to make companies-and their
employees-safer. With phishing attacks on the
rise, Wisniewski stresses that employee education is crucial; whether it's training, or even a
memo detailing common scams (he estimates
that as much as 50 per cent of successful breach
attempts start over email or the telephone).
And, he adds, for many in IT or LP, another key
to success lies in an adjustment of attitude.
"It's important to let staff know that they
won't be blamed when it happens," he explains.
"That way, they'll come to you. Most often
when you do the forensics after an incident, the
person who made the mistake kind of knew it
was wrong, but waited two weeks until somebody else noticed the same thing and asked

Table of Contents for the Digital Edition of Canadian Retailer - Fall 2016