Canadian Retailer - Fall 2016 - 41

LOSS PREVENTION

quired. Everybody wants to share everything,
but after a certain point, you're not safeguarding the company's intellectual property."
Another ally in the fight against cybercriminals are "White-Hat Hackers"-computer security experts who perform non-destructive
"penetration checks" on a company's systems
to test their vulnerabilities (some are on payroll, while others bring system information to
Phishing: Thieves send an email with an ordinary-looking atbusinesses in exchange for payment-ironictachment, labelled as a spreadsheet, .pdf, or something equally
innocuous. When clicked, the attachment actually installs malally increasing the number of breach attempts
ware designed to steal your credentials (username, password,
each year). And while antivirus software, fireaddress book, etc). With access to the company email server
walls, and IT professionals are a crucial part of
and database, thieves can steal information or initiate fraudukeeping any business secure, some solutions
lent wire transfers.
According to the VDIR, in a series of more than 8 million
are surprisingly low-tech, up to and including
sanctioned phishing tests in 2015, 30 per cent of phishing
an awareness of social media presence.
emails were opened by targets, 12 per cent clicked the attach"I can learn almost everything I want to
ment, and only 3 per cent reported it to management.
know about a company on LinkedIn," WisniewInformation Theft: Criminals gain access to customer, employski chuckles. "Criminals can look on LinkedIn,
ee, or associate information-either through hacking, phishing
and they'll see, 'Oh, ok. The Director of IT's
emails, or phony PINpads using bluetooth and keystroke-recname is Jim. If I just start calling employees,
ognition technology-and use it for financial gain. This can take
the form of cloning debit and credit cards, or selling informaand saying I'm Jim from IT, and I need them to
tion directly-usually on the Deep Web.
reset their password for me, I'm going to trick
somebody within the first five calls."
"Canadian retailers are ahead of the times.
When it comes to Canada's place in the
global Data Security landscape, Wisniewski
Especially when it comes to credit information
and O'Keefe are of different opinions.
protection. Some of the safeguards on credit
"Many businesses in Canada aren't doing
cards-embracing chip and PIN technology way
nearly enough to protect their customer information," Wisniewski says flatly. "We have
ahead of the States, for example."
no Data Breach Notification laws in Canada.
- STEPHEN O'KEEFE, Gristmill Solutions
PIPEDA has some provisions, and there's one
about it. And they'll say 'Oh yeah, I thought other law, but there's no national or provincial laws. So most
that seemed kind of weird'. And we're going businesses don't do anything."
'Why didn't you tell me two weeks ago?' And
O'Keefe, for his part, is a little more upbeat-particularly
it's mostly because of the shame of it. And when it comes to retailers.
for years, us IT people, we've been shaming
"In a lot of ways, Canadian retailers are ahead of the times," he
people, saying 'How stupid are you?' and we says. "Especially when it comes to credit information protection.
need to change that attitude. I'd rather investi- Some of the safeguards on credit cards-embracing chip and
gate ten false reports and find one real one."
PIN technology way ahead of the States, for example. They're
In some cases, it's a matter of increased just going through that now. As far as personal information, the
cooperation between departments (Wisniew- different privacy acts are pretty much where they should be."
ski advocates two methods of authenticaHowever, both men agree that when it comes to combatting
tion for any wire transfers), and in others, as digital criminals, there's plenty of work still to be done.
O'Keefe points out, it's a matter of restrict"I speak in front of probably 100,000 people a year," Wisniewski
ing employee access-not only to prevent the adds, "and anecdotally, I'd say that half of businesses are having
theft of trade secrets, but to limit the damage some kind of computer security incident every year. Most of them
a criminal can do once inside the system.
aren't that big a deal, but even the small ones have a tendency
"You need to control access," he says. "People to cost between $5000-10,000. And those aren't even specifically
need enough information to do their job, and data thefts. That's where the information starts getting fuzzy."
enough to motivate them to become an enHe chuckles quietly, in spite of himself.
gaged player in the company, but not enough
"We like to joke that any organization who says they haven't
that you have more information than is re- had an incident just doesn't know it yet."
COMMON ATTACKS:

Ransomware: Hackers gain access to a company server and
encrypt all information-customer payment profiles and
company data-and hand over decryption keys only after a
ransom is paid (a fee which increases each day). While originally targeting individuals, businesses are increasingly being
affected; according to a study conducted by MalwareBytes,
close to 40 per cent of surveyed businesses had experienced
a Ransomware attack at some point in the past.

www.retailcouncil.org/cdnretailer

FALL 2016 | CANADIAN RETAILER

| 41

http://www.retailcouncil.org/cdnretailer

Table of Contents for the Digital Edition of Canadian Retailer - Fall 2016