Cybersecurity professionals across industries are responsible for three distinct areas: 1) data confidentiality (ensuring privacy); 2) data integrity (ensuring accuracy); and 3) network/service/application availability (ensuring uptime).
Since the advent of the Payment Card Industry Data Security Standard (PCI DSS) a decade ago, the retail industry has maintained a singular focus on confidentiality — more specifically, protecting customers’ credit card data. Retailers have devoted significant time, resources and budget to protecting their point of sale terminals, preventing data breaches and demonstrating PCI compliance. And as a result of their prioritization of payment security, coupled with the emergence of security technologies such as EMV chips, the risk of credit card theft has declined significantly over the past few years.
During this time, the industry has also undergone significant digital transformation. Retailers have implemented omnichannel strategies that integrate mobile and social channels into traditional online and on-premise operations. They leverage artificial intelligence (AI) to provide a seamless shopping experience and analytics to personalize it based on browsing history, past purchases, etc. And digital marketing (think digital coupons and email promotions) is taking the place of more traditional campaigns such as direct mail. In short, the entire consumer shopping experience, from start to finish, is now more digitized than ever.
The rise of digital transformation combined with the decline in attacks on credit card information has resulted in two very important shifts in retail security:
1. Cybercriminal attack motives and tactics have evolved.
EMV chip cards in the U.S. have made credit card transactions much more secure, and PCI has put basic guardrails in place to protect customers’ financial data. As a result, cybercriminals, who are always looking for the highest return on investment for the least amount of effort, have moved from attacks aimed at stealing financial data to attacks focused on taking down systems, sites and mobile apps.
For example, distributed denial of service (DDoS) attacks flood a targeted system, server or network with high-volume traffic to overwhelm it, drain bandwidth, and ultimately, slow down online services or make them completely unavailable to customers.
Ransomware attacks lock systems or encrypt file servers and databases until a ransom is paid — and this type of attack has become a favorite among cyber-criminals. In fact, the Verizon 2018 Data Breach Investigations Report found that ransomware attacks doubled over 2017, and now increasingly target business systems. And why wouldn’t they? The more important a system or network is to a retailer, the higher the chances they’ll pay a ransom demand — regardless of the asking price.
While attacks targeting credit card data certainly do still happen, we’re increasingly seeing cybercriminals cause operational and financial damage by disrupting system or network availability. And in a world where even one minute of downtime can result in millions in lost revenue, a tarnished reputation and a loss of customers, it’s now more important than ever that retailers learn how to fight back against this type of attack.
2. Retailers must now balance availability with confidentiality.
Because of this shifting threat landscape, the availability component of cybersecurity (keeping networks, systems, online sites and mobile apps up and running) has become just as, if not more, important than the confidentially side. This is particularly true as retailers adopt a new security paradigm — the cloud — as an availability tool. The cloud’s on-demand scalability is ideal for retailers due to the “spikey” nature of traffic volume throughout the year, but it opens a new world of security discipline, particularly in determining which security elements are the responsibility of cloud providers and which are the responsibility of the customer. All of this is a stark contrast from the last 10 years, where, as discussed, security teams’ attention was focused solely on protecting credit card information.
Does this mean that CISOs and security professionals need to walk into the next board meeting and explain that all of the investments they’ve made to ensure payment security over the last few years need to be thrown out the window in favor of tools designed to enable secure availability? Absolutely not. In fact, in many cases, existing security controls and technologies that protect credit card data can also be used to maintain availability. But, it does mean that retailers need to evolve their security strategies to address their new risk posture and ensure that those controls and technologies are accounting for availability as well as confidentiality.
‘Inside-Out’ Security Mitigates Confidentiality And Availability Risks
Many organizations operate with an “outside-in” approach to security, where external threats and compliance mandates dictate security spend and strategy. Retailers’ laser-focus on investing in technology that protects payment security and complies with PCI is a great example — in many cases, an external stimulus (PCI) has driven the security strategy for retailers, which is why so many are in a precarious situation in a time when adversaries have turned their attention on non-PCI-governed parts of the business.
The problem with the outside-in approach is two-fold. First, because organizations react to new threats and regulations with technology procurement, they end up with complex, expensive and difficult-to-manage infrastructures that may actually introduce additional risk rather than mitigate it. And second, as mentioned earlier, this approach causes retailers to focus only on a single “on fire” point of risk (PCI), while neglecting the broader risk environment that could potentially damage the business (DDoS and ransomware, for example).
To successfully address risk, organizations need to take a comprehensive approach and adopt an “inside-out” security model. This starts at the core of the organization with the development of an enterprise risk model, which provides a blueprint for security based on each organization’s unique business objectives and risk profile. Using this strategy, security teams can prioritize risk — confidentiality AND availability, for retailers — and make intelligent decisions around the infrastructure, technology and operations required to mitigate it.
Retailers can transform complicated environments comprising endless point solutions into streamlined infrastructures that are much more manageable and effective at reducing risk. They can optimize operations, so security teams can stay focused on high-level priorities that deliver business value, rather than getting bogged down in mundane management tasks. And with an “inside-out” view of security, retailers can implement metrics and other key performance indicators that effectively demonstrate the value security investments and efforts have on the business.
Cybercriminals’ motives and attack methods might be ever-evolving, but with a security model that looks beyond a single compliance driver, an organization’s risk strategy adapts right alongside them. This means that no matter where retailers’ concerns lie on the “confidentiality, availability or integrity spectrum,” they will always be prepared to mitigate risk successfully. And that’s a win for both retailers and their customers.
Dustin Owens is the VP/GM of Risk and Compliance Advisory at Optiv Security. Prior to joining Optiv, Owens was the director of security advisory services at DXC Technology. Before that, Owens held security leadership positions at companies such as Hewlett Packard Enterprise, BT and International Network Services (INS).