Retailers: Protect Your Data this Holiday Season

Make security awareness training a priority year-round

By Roy Maurer Dec 15, 2014

connie-stack-headshot (2).jpg

Criminals breach hundreds of retail merchants annually, but 2014 was a banner year for data thieves. It’s been one year since the theft of 40 million credit and debit card numbers from Target was revealed in December 2013. The loss left Target with costs that have climbed to a quarter-billion dollars and shook the entire retail sector.

Target turned out to be the leadoff hit in a series of high-profile data thefts in 2014, including attacks on Neiman Marcus, Home Depot, Michaels, Staples, JPMorgan Chase and Sony. On Dec. 5, 2014, women’s clothier bebe confirmed that hackers had stolen customer credit card data from stores across the country in a breach that persisted for several weeks.

All businesses are vulnerable. Companies are attacked an average of 16,856 times a year and 43 percent of U.S. companies experienced a data breach in 2014, according to a report from the Ponemon Institute. But retailers are an easy target. Fifty-eight percent of retailers are less secure than they were a year ago because more hackers have been getting inside their firewalls and stealing data, often more quickly and more stealthily than before, according to a study by security firm BitSight Technologies, which analyzed data breach risk at 300 large retail companies.

Connie Stack, chief marketing officer for data protection security firm Digital Guardian, discussed with SHRM Online what specific threats to look out for this holiday season, what measures retailers and other businesses can take to plug the security gaps in their networks, and HR’s responsibility in developing a human firewall to protect the company from data theft.

SHRM Online: What are some specific threats retailers should be aware of around the holiday season?

Stack: First,HR professionals should know that generally we are operating under what we in the security industry call an assumed state of compromise. Everybody knows there’s potential malware and other bad stuff on their networks—it’s there. You can’t catch it all because of the massive volume. You can’t prevent everything from getting in. Retailers especially become ripe targets during the holiday season because the volume of transactions is so exhaustive, whether its foot traffic in brick-and-mortar stores or online. Even for companies like Target that have industry-leading security measures in place, it can be difficult to see something potentially bad happening because it gets lost in what we call “the noise of alerts.”

People may think the risk is greater online, but essentially the same data-loss risk exists in a store because every point-of-sale (POS) system is a digital environment. Once customers swipe their card at a retailer’s POS system, or input their payment information online, they really are relying on the defenses of the retailer.

Employers need to guard against insider threats. The POS system can be physically tampered with through card readers, or you can have an employee at an organization with access to credit card numbers that they can download to a USB drive or e-mail to a personal e-mail address and try to monetize or sell them.

Then you have external threats, like those seen in the high-profile breaches at Target, Staples, Michaels and Sony. Outsiders plant malware into companies’ systems that lie in wait. And they do it smartly. If a hacker breaks into Target and steals 40 million credit cards right away, an alarm will go off and they will not be successful. Instead, they will sit and wait and maybe peel off 5,000 numbers a night, which gets buried in all the noise of all the transactions going on, especially during the holiday season.

Outsiders are also using tactics like spearfishing to steal credentials from employees to get access to company networks or are leveraging really smart malware to try to find holes in the network. Security holes are as varied as someone not having the latest patch on their Windows server, or somebody not scanning for common vulnerabilities and flaws in a Web application. The attacker only has to find one.

SHRM Online: It’s the human firewall itself that’s often the easiest to breach, isn’t that right?

Stack: Absolutely, these malicious attackers go for the low-hanging fruit. The employee who’s sitting at his desk, he’s harried, it’s the holidays, he sees an e-mail from his boss, he clicks it, and he just infected his machine. The attackers will use e-mail address convention information found in the public domain, like on LinkedIn, to get the e-mail addresses of at least 1,000 employees at a company like Target and send a spearfishing e-mail with an attachment and make it look like it’s coming from the CEO or from HR. It’s been demonstrated over and over again that spearfishing attacks are one of the most effective methods for hackers, because you’re bound to get some percentage of people who will click on it, infecting their computer and network in the process.

SHRM Online: And the human firewall is HR’s domain, right?

Stack: It’s particularly important for human resources. HR must conduct security awareness training. It is not superfluous. HR has got to be out in front of the employees once a week, communicating that “if it looks suspicious, don’t click it. Call IT first.” HR must get them aware and thinking that “this seems odd that the CFO is e-mailing me a spreadsheet” if that never happened before. Security awareness training must be done, and not only in January but make it a campaign, whether it’s posters in the lunchroom, quarterly meetings or internal videos.

I’m a huge advocate for developing and engaging the human firewall. I think it will be the demise of IT security professionals if we do not engage the non-IT workforce, because we cannot do it alone. We can’t have the attitude that the end users are idiots, which unfortunately is pervasive in the industry.

SHRM Online: What strategic and tactical data protection measures should retailers take?

Stack: There are very common ways hackers employ spearfishing attacks that can be taught through employee training and very common ways that malware behaves once it has infected a system. Malware will create and delete files and run and delete executables. Many solutions on the market can identify those occurrences right away and block the malware from infecting the computer.

Alert fatigue is another issue. Companies have invested heavily in securing their networks and their endpoints. Where they fail is that they’re all sending alerts, all the time. One thing companies are starting to do now is focusing on the alerts impacting their data. If there’s an alert that malware has been found on the system, but it’s just a nuisance, who cares? I want to focus on the malware that looks like it’s trying to access the server that stores all the credit card data. Companies have to prioritize data awareness.

Another prevention measure is being more creative around understanding levels of protection. A lot of companies get overwhelmed by the thought of having to classify every piece of data. They don’t need to do that. They need to classify the important stuff and sensitive information. How much better off would Sony be if those unreleased movies had been encrypted and rendered useless? Yes, it’s embarrassing that e-mails and Excel spreadsheets with salary information got out there and of course HR needs to be aware of and attentive to employees’ personal information, but the hacked movies will have a much larger dramatic business impact on the company. They could have used a data protection vendor to classify those movies as confidential, encrypting them and rendering them useless to hackers.

It’s not a network issue. It’s a data issue. Every industry needs to take a data-centric security posture and figure out what specific data is the most critical and put that data protection level in place. That’s the only thing that is going to result in our capability to defend against these attacks because they’re coming fast and furious and you won’t be able to stop them all. If you can stop thieves from getting the most important data, then you’ll be way ahead.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy​​


Job Finder

Find an HR Job Near You
Post a Job

Apply by October 19

Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.

Apply Now


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect