Theresa Payton is the founder of Fortalice Solutions, a cybersecurity provider of analysis, training, action, transparency and creative problem-solving to protect people, businesses and nations. Payton, a former White House chief information officer, specializes in identifying emerging trends and techniques in the world of cybercrime; earlier this year she appeared in the CBS-TV reality series “Hunted.”
STORES contributing writer David P. Schulz recently spoke with Payton about data security and other cyber issues challenging retailers.
How does one assess the risks of a cyberattack?
A safe corporate organization is one with a multifaceted cybersecurity program that blends old-school risk management and compliance with newer and more innovative techniques. This approach provides a robust means for managing dynamic and complex cyber risks.
Older techniques include performing a traditional risk assessment against the National Institute of Standards and Technology framework or other industry frameworks. Newer and more innovative techniques are based in designing cybersecurity capabilities that behave like and anticipate the adversary and shift the organization away from a purely defensive posture.
A purely defensive strategy is a losing strategy: For every defense you put in the path of cybercriminals, they will find a way to get around it.
In the process of determining cyber risks, how frequently should assessments and reassessments be made?
While there are no set time-scales on how often you should perform risk assessments, you would be remiss to not evaluate your cyber health on an annual basis. Companies should heavily consider additional cyber assessments during periods of high staff turnover, when implementing new equipment and machinery or when new procedures are introduced.
What are the major threats to retail IT systems?
Retailers are facing new threats as omnichannel shopping and a new wave of electronic payment methods are transforming the industry. The more information becomes accessible online, the more vulnerable retailers are to threats.
Ransomware is one of the largest underreported cybercrimes, and it is growing exponentially. It’s a form of cyberattack in which cyber criminals lock up parts of an organization’s system and charge a ransom to release it. Retailers are prime targets for ransomware because if hackers get access to sensitive data, they feel obligated to pay significant fees to get the data back.
Additionally, retailers have been incorporating more connected devices (think smartphone integration, sensors, security cameras) to create convenience and satisfaction amongst their customers. But as more devices are connected to networks, there are more opportunities for cybercriminals to access personal and financial information.
And obviously, another point of entry is the whole payment piece. A lot of people are paying with credit and debit cards, so this is a great opportunity to attack a retailer’s point of sale.
How many networks should a chain of stores or restaurants maintain?
There isn’t one hard and fast guideline for everyone, as every company’s needs are unique. However, the best posture a business can take, regardless of size, is data segregation, meaning that you don’t store all your data in one place or on one network. Make sure your financial data is in one (or ideally more than one) place, your internet protocol is in another, your Internet of Things devices another, and so on. Make it hard for criminals to get everything at once.
What is a cybersecurity plan and what kind of information should it contain?
A cybersecurity plan should clearly describe what an organization wants to achieve when it comes to its online security. A comprehensive plan should focus on three areas: prevention, resolution and restoration.
What are some ways employees compromise cybersecurity?
Employees can compromise security in a number of ways, even if it’s not their intent. Whether it’s creating poor passwords, password sharing, opening an attachment or clicking a link embedded in an email, they often easily compromise a retailer’s security.
If an employee leaves on bad terms, it’s easy to imagine what they can do to a company’s cybersecurity with access to inside information.
Who, or what, should a retailer turn to when data extortion occurs?
Retailers shouldn’t wait for data extortion to occur before they figure out a plan of attack. Instead, they should assemble a response team that consists of relevant personnel including IT, legal and PR and marketing. This team must meet regularly, anticipating and preparing responses to potential data extortion scenarios.
The best way to protect yourself is to make sure your data is thoroughly backed up and you have good anti-virus programs.
Big data and behavioral-based analytics can assist retailers in knowing their customers and protecting their identities better.
Payment systems have potential for fraud. What’s a retail business to do?
The reason POS systems are so vulnerable is that [payment information]is usually unencrypted for some length of time, and that makes it increasingly easy for hackers to breach the information. Plus, criminals always go where the money is and retail businesses are highly susceptible.
Big data and behavioral-based analytics can also indicate whether a cybercriminal is trying to hack into your system. For example, a big-box retailer should notice there are certain parts of the country where they see their customers buy at their stores on a regular basis, because they regularly visit family in certain parts of the country. Purchases that are made in those locations, within that behavior pattern, are likely to be the actual customer.
But suddenly if they start making purchases at their stores outside their normal travel pattern, it could just be that they’re on vacation — but there’s also a possibility it’s not them. This is where big data and behavioral-based analytics can assist retailers in knowing their customers and protecting their identities better.
Consumers often aren’t aware of the privacy they sacrifice when using social media and other technology. Is the same true of businesses that have Facebook pages and communicate through social media platforms?
It doesn’t matter if you’re a consumer or business — we all need to be vigilant about what we post on social media. Identity thieves can follow the information you post like digital breadcrumbs leading back to your house — in this case, your house is your company’s most valuable assets.
We experienced this issue with an ecommerce clothing boutique whose Facebook business page got hacked the week of Black Friday. Its account was compromised and hijacked by a device utilizing networks in the southeastern European state, Kosovo. The hacker set up an automated system to post clickbait pornography using the boutique’s brand on Facebook as a mouthpiece to generate advertising revenue.
While the Facebook account was compromised, the associated email wasn’t. This indicated the possibility of malware on the business’s devices. Thankfully, Fortalice was able to recover this client’s entire cyber footprint within 12 hours. She was back up and running by Black Friday and her business continues to thrive.
You have suggested that the tech industry and business end-users should become more proactive in cybersecurity. What does this involve?
The first step is to ask, “What are we going to do to prevent a breach from happening and what are we doing to help our customers?” Next you need to map the approach. You should pick the two most important digital assets to protect within your organization.
Once identified, these assets should inform your investments and approach. Then a 90-day post-breach plan should be developed, identifying all the players and procedures: What’s our crisis PR plan? Do we have a 24/7 customer call center we can switch on? Who will be our data breach lawyer? What’s our fallback system?
Part of being effective against cybercriminals is to pay careful attention to all your contracts. If you are moving to the cloud, for example, make sure you have a “prenup” with your vendors, a service-level agreement about a breach in the cloud that details how quickly you will be notified, what will be done and how you might rectify the situation.
Being a good neighbor is also important. Make sure your suppliers report any incidents to you, so you can be vigilant and examine potential ways others have been attacked.
Lastly, it’s extremely valuable to invest in a cyber risk assessment to determine your organization’s cyber health and ways it can be improved.
You have advocated for a “kill switch” on devices connected to the internet. When would this be necessary and how would this work in a business context, such as a chain of stores or restaurants?
There are certain times when you turn off data — or flip the kill switch — even though it will disrupt operations, but the consequences are better than finding out that leaving it on creates a much bigger problem. You must have a kill switch for anything that is connected to the internet — POS systems, social media, security cameras, etc. — to provide a privacy safety net and to ensure that you can secure your data.
Earlier this year, you said cybersecurity checklists don’t work. What do you mean by that?
Checklists don’t stop bad things from happening. Checklists and best practices have been implemented in tech departments and companies across the globe, but I think they’re the worst thing that has happened to our industry.
I realize why companies implement checklists, and it’s often because they don’t know where to begin or don’t have the budget, time or resources to be completely comprehensive. Candidly, they haven’t actually protected companies from cyber threats — instead, they enable complacency, turning the end goal into crossing everything off the list, which doesn’t solve core security problems.
David P. Schulz has been writing for STORES since 1982 and is the author of several non-fiction books.