By Dr. Vincent Berk, Co-Founder and CEO, and Larry Nuttall Executive Director of Operations, FlowTraq
A version of this article also appeared in Retail Minded, posted by Nicole Reyhle
Last year ended with the second biggest retail data breach in history, and it is a cautionary tale about the true cost and economic impact that merchants of any size can ill afford. According to Reuters, the theft of credit and debit card data from 40 million Target customers may end up costing hundreds of millions of dollars, which is all tied to litigation, customer notifications, card replacements, sorting bad charges from legitimate charges, and fixing bad charges.
On top of that, Target offered customers a 10 percent discount for shopping over a busy holiday weekend, and for those customers whose cards were compromised. It also offered credit monitoring, in an effort to address customer concerns.
The credit card companies such as MasterCard and Visa can hit retailers with additional fees, penalties and charges for forensic investigation costs if the problem is determined to be in the retailer’s systems.
While the costs of lawsuits and card replacements hold a significant dollar value, repairing Target’s corporate reputation is a cost not too easily measured in dollars and cents. Account data compromises can wreak economic havoc upon the largest retailers.
A key take away from this situation is that customers and payment processing companies will be placing much more pressure on retailers to ensure the security of sensitive data. This year we will see several changes within the industry as retailers adapt to the ever-evolving threat landscape.
IT Departments Will Balance Between Security and the Inevitable Threat
Organizations will begin to balance their investments in security against the realities of what the business can afford. Target, like many others, is a big box, brick-and-mortar retail organization that operates on thin margins, and as the Reuters article suggests could incur up to $680 million in unplanned costs dealing with the breach.
Consumers may assume that the big brand-name stores have all the proper defense systems in place. Merchants must comply with PCI standards and the anti-fraud requirements imposed by the card companies. However, financial pressure may limit their ability to fund the tools and to maintain the network security staff expertise needed to protect sensitive account data. So, they accept a certain amount of risk, and hope their security tools provide at least a compliant level of coverage.
Retailers need the highest levels of affordable security because operating margins do not allow them to throw an unlimited amount of money at IT security. Companies cannot justify continuously escalating their investment in security hardware, software and resources at a time when sales revenues and profits are flat or growing slowly. Retailers will focus on making intelligent decisions that enable them to get the maximum value possible out of the tools they can afford.
From purchasing behavior to payment card to loyalty program information, retailers have massive amounts of data for which they are responsible for managing and properly securing 24/7. As IT, departments come under increasing pressure to find the perfect balance between investing and security, tools that can process large volumes of data for less money will win out.
Retailers will invest more heavily in real-time network monitoring tools
Recent high profile breaches have one key thing in common: the time lapse between the occurrence of the breach and the discovery of the breach. In the case of the Target breach, it took more than three weeks for the company to identify and disclose the compromise. Others have gone undetected for many months.
In today’s world, threats are evolving faster than ever before. Access logs, virus signatures and intrusion detection alerts are simply insufficient to secure sensitive account data. Retailers are beginning to revise their network infrastructure policies and procedures to help close that security gap, and a large part of this involves investing in tools and technologies that monitor networks in real-time.
It is no longer acceptable for organizations to experience a data breach that goes undetected for months. A new class of real-time monitoring tools will allow organizations to gain nearly immediate visibility to possible threats, compared older security solutions that get answers too late and too slow. These tools of the future will help retailers build a proactive cyber defense posture around their data assets.
Retailers will revise their budgets and add lower cost real-time tools to minimize risk of costly data compromise
Consumers may feel “safe” from credit card fraud, since the law and card company policies limit the cost impact to cardholders. However, inside the industry, it is no secret that the retailer may bear the full expense of data breaches. If sensitive account data is handled improperly or network security practices fall below standards, the card companies can hold the retailer liable for the costs.
One thing is certain. This year retailers will reassess their network, systems and data handling practices. They must deploy fast, affordable network security solutions under tight budget and resource constraints.