SecTor spoke to the retail security expert in part one of our four-part cyberthreat series
When it comes to cyberthreats, retailers are among the most heavily targeted. Companies like Target, Home Depot and TJ Maxx have all made the headlines over the last few years as attackers pilfered credit card records by the millions from their servers and POS systems.
Wendy Nather is the research director at the Retail Cyber Intelligence Sharing Center (R-CISC), one of several US-based Information Sharing and Analysis Centers (ISACs). These are sector-specific centres that advocate information sharing between organizations in the same industry. She spoke to SecTor in a ten-minute interview about the cybersecurity risks facing retailers, and how companies are working together to mitigate them:
Nather has her work cut out: retailers are getting hit hard and fast, and data shows that there’s room for improvement. Verizon’s 215 Data Breach Investigation Report (DBIR) saw 801 weekly malware events on average among retailers in 61 countries, beating financial services, insurance, and utilities.
When those breaches result in data loss, they’re costing more. The Ponemon Institute found that the cost of a data breach for retailers jumped from $105 to $165 between its 2014 and 2015 Global Cost of Data Breach reports.
But retailers face challenges. Margins are tight, and companies are also often constrained by technology freezes that stop them from making changes at particularly critical times of the year, such as around the holidays.
Where they are making changes, experts often condemn them for not going far enough. A good example is EMV, the technology that places chips on credit and debit cards to help avoid counterfeiting. Commentators including Nather point out that many US retailers are focusing on chip and signature technology, in which a retail clerk still checks a written signature. This contrasts with chip and PIN, which is prevalent in Canada and Europe, where a four digit PIN is still required for verification.
Some retailers, stung perhaps by security failures in the past, are nevertheless taking the plunge. In April 2014, Target pledged to spend $100m on smartcard technology for its payment systems, after a catastrophic credit card theft in 2013.
In addition to this in-depth interview, Wendy also gave a talk at SecTor. See that video below.