Lessons you can take from other retail data breaches
April was a successful month for hackers intent on creating retail data breaches: Several major retail brands were hacked, many of whom used the same online customer experience partner. These brands include Panera, Best Buy, Macy’s, Lord & Taylor, Sears, Kmart, Delta and Saks Fifth Avenue.
Compounding the problem, says a Business Insider article, a KPMG study shows that 33 percent of consumers would stop shopping for an extended period at a retailer after a breach, and 19 percent would never return to that retailer.
What are the takeaways we can use to help you secure your online data to prevent a retail data breach?
Steps to protecting your business from a retail data breach
1. Don’t assume you can fly under the radar.
Don’t assume that because you’re not a major retailer or commercial entity that you can stay below a hacker’s radar. And it’s not only retailers who have major e-commerce sites that are hacked. Cyber criminals know that smaller retailers don’t often have the resources to thwart hacks.
2. Keep business and personal accounts separate.
Use separate passwords and accounts for your business and your personal banking. If someone hacks your personal email and password from a personal site, they won’t be able to access your business or banking sites. Guard what you allow to be uploaded or attached to your computers, and always encrypt.
3. Educate yourself on retail data breaches and cyber theft
A recurring theme in cyber protection and prevention is that data security is a task best left to the experts. After all, you don’t know what you don’t know. That’s why many smaller retailers have chosen to migrate all their data to the cloud. “A reputable cloud host is well aware that the security of its servers and its ability to protect the data entrusted to it is indispensable if it is to compete and survive. As a consequence, cloud servers will likely be some of the most secure places to store data into the future,” said an older Property Casualty 360 article on breaches.
“Cybercriminal use all types of malware, including Trojans, Man-in-the-Middle, Man-in-the-Brose, and key loggers, to get what they want, including personal data and payment details,” says Due co-founder Chalmers Brown, as quoted in Upwork. “Continue updating your tools to detect malware that may be present. You may also need to invest your time in understanding how malware is used in terms of patterns used by cyber criminals. Focus on using malware detection solutions that can work in the background rather than relying on those options that involve user downloads or registrations.”
4. Involve your employees in preventing retail data breaches
Many data breaches happen by accident: An employee unwittingly opens the door. Retailers need to train employees regularly on how to encrypt data, generate strong passwords, how to properly file and store data and how to avoid malware. Limiting employee access to websites outside the scope of their daily duties will help minimize the possibility of allowing access to a hacker. An educated staff is another important line of defense.
Establish a written policy about privacy and data security and communicate it to all employees. Educate employees as to the types of information that are sensitive or confidential and what their responsibilities are to protect that data. Train employees to never leave laptops or tablets unattended. Implement password protection and ‘time-out’ functions (requires re-login after periods of inactivity) for all computers. Require employees to log off their computers at the end of the day.
Hackers have become particularly adept at phishing to gain access to otherwise secure networks. With a little social media skulking and email contact, they can obtain much of the information they need to access login credentials that grant broad access to business networks. Employees need to be informed of the methods cybercriminals use to find this information.
- Train them on basic preventative measures — how to recognize a phishing attempt or how to create and maintain a secure password.
- Enforce a password security protocol. Employees should change passwords regularly and be well-educated on the importance of password security, the methods criminals use to acquire login and password information and how to create a secure password that’s at least 12 characters long, nonsensical (i.e., a combination of letters, numbers and symbols that don’t spell out words) and totally unrelated to anything about that employee (i.e., not a dog’s or child’s name). Two-factor authentication is a great indicator that a company takes password security seriously.
- Establish procedures for granting and removing access to employees that guard against unauthorized access to the company network.
- Policies regarding use of employees’ own devices should be clear, comprehensive and carefully enforced.
- Any portable medium such as a USB flash drive or portable device such as a tablet or smartphone are more susceptible to loss or theft, and easily used to gain access to your network. Because these are synced with a computer, users are vulnerable to malware anytime they sync. Allow only encrypted data to be downloaded to portable storage devices.
5. Protect your employees
Don’t use Social Security numbers as employee ID or client account numbers. If you do so, develop another ID system immediately. We also strongly suggest that you not collect or keep information you don’t absolutely need. Minimize the number of places you store personal private data. Know what you keep and where you keep it.
6. Outsource payment processing
According to one expert, the weakest link of vulnerability in the credit card payment system is the fact that merchants still handle actual card data in their systems. Quoted in Upwork, Dave Oder, CEO of Shift4 Corporation, a credit card processing payment gateway, says “Merchants need to properly combine point-to-point encryption and tokenization technologies whenever a card is swiped. This means that the business never handles actual card data, as the transaction is processed through the merchant environment. With only a secure token returned to the merchant along with the authorization, there is no more risk of storing vulnerable cardholder information because the onsite database only holds tokens that are meaningless and valueless to thieves.”
The article goes on to say that if this isn’t possible in the short term, then “avoid handling credit card data on your own and rely on reputable vendors – regardless if it’s for point-of-sale or web payments. These companies have a security team that can protect sensitive data far better than you can.”
7. Vet your third-party vendors to eliminate a possible retail data breach
A few years back, both Target and Home Depot were hit with a cyber breach that started with malware found on compromised cash registers. The retailers’ networks were accessed through an unknowing third-party vendor. Cyber experts note that this is becoming a more common hacking practice, because these smaller vendors may not stay on top of data security.
Lesson learned: Vendors, like employees, should only be able to access what’s necessary for them to perform their work. Digital security protocols should be in place to compartmentalize data without giving free reign to any user, authorized or not. Never give temporary workers or vendors access to personal information on employees or customers. If sensitive data is being passed back and forth, make sure both you and your vendor have the capability to properly encrypt it.
8. Stay up-to-date
- Adequate firewalls, anti-virus and anti-spam software should be in place and kept up to date.
- Secure your physical terminals. Even the best data protection is useless if someone can access your system on-site or nab hardware that hasn’t been properly decommissioned.
- Ensure that frequent patches from software vendors are applied as soon as they are made available.
- Periodically check security controls to ensure everything is functioning as expected. Try to monitor data leakage regularly and if any holes are detected, resolve them immediately.
9. Be personally diligent
- You know not to use Password123 or the same password on multiple sites. Now turn that knowledge into habit.
- Store your passwords on a secure app.
- Don’t allow your internet browser to remember your passwords: They may be stored in an unencrypted format on your hard drive, which is easy for hackers to locate and exploit.
- Review your credit card statements monthly without fail.
- Download and scrutinize your free credit statements from any of the credit bureaus on a regular basis.
- Shred any unwanted credit card or loan offers.
- Hover over any link in an email before you click it to see if the linking URL looks appropriate.
You as the shop owner are the first line of defense, so step up your diligence to ensure nothing suspicious gets past you.
10. Create a breach response plan
Knowing what to do in the event of a breach will help you react that much faster, hopefully with the end result of limiting the damage done. Your plan should include steps to notify customers, vendors and staff, plus a list of resources you’ll need to contain the breach.
How to Protect Your Business from Data Breaches
How to Protect Your Small Business From A Data Breach
Preventing a Data Breach
If you shopped at these 15 stores in the last year, your data might have been stolen
How To Protect Your Business From A Data Breach: Seven Key Steps
Retail data breaches: 3 lessons companies have learned