Cyber Attack: Coming to a Store Near You

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/rebecca-abrahams/cyber-attack-coming-to-a_b_5836108.html

BigPill Drug stores began in 1960 and grew to 35 stores by 1990. The
company had more than 100 stores in 2000. It is now a publicly traded
company, with $63 billion a year in sales, a customer base of 20 million
and 3,600 stores in 28 states. Big Pill's annual profits are $3.3 billion
and stock currently trading at $6.75 a share.

The company became a major player in retail pharmacies. Their story was
even required reading for Harvard MBAs. Then, it happened. A massive cyber
attack on the company's servers exposed customers' credit card information
and insurance data.

BigPill headquarters thought they did everything right, they thought they
were secure. But they weren't. They outsourced IT Security instead of
creating a secure data room, monitored 24/7. They had a Chief Security
Officer but this person lacked the knowledge of all the points of entry to
BigPill's systems, not to mention the particularly vulnerable ones. Why?
Because they hired someone who had worked in the IT department, rather than
hire someone with cyber security experience. Sure, they had multi-step
authentication for all point of sales systems. But the person in charge of
protecting and monitoring company data simply did not understand the
threats.

BigPill didn't even know the breach occurred until a year later - then they
waited another four months before announcing it to the public. Why? They
didn't fully know the extent of the breach until it was too late to stop
the hemorrhaging.

If you've never heard of BigPill, you're not alone. It's a fictitious
organization. But the scary truth is, cyber attacks like this are real and
they're about to get worse - much, much worse.

So if you're CEO of $4 billion a year company, the question you should be
asking yourself is, can you afford to lose $2 billion in sales and
jeopardize the company's future? Because when a breach happens and it will
happen, several things will occur:

1. Your company will lose present and future customers, as they will no
longer trust your organization to secure their financial data.
2. Your company will suffer reputational losses as a result.
3. The cost of cleanup will far exceed the cost to mitigate the attack in
the first place ($140 million in Target's case).
4. Weaker sales will lead to store closures and the entire c-suite and
management will be affected along with salaries, bonuses, stock options and
stock prices.
Bottom line - if you're the head of a large private bank or small retail
store, your data is equally vulnerable to attacks by rogue hackers, hostile
governments, terrorist groups or disgruntled employees.

But if you're still convinced your company is impenetrable to attack,
consider that banks may soon hold retailers financially responsible for
placing them and their customers in financial jeopardy.

Dr. Stephen P. Bucci is the Director of the Allison Center for Foreign and
National Security Policy Studies. He is also Senior Fellow at the Heritage
Foundation for all issues involving Homeland Security and Defense. Bucci,
speaking to attendees at the 2014 NACDS Total Expo in Boston, warns, if
you're not doing something to lock your data down, your company is a
target. "If the leaders in companies do not seek to understand the cyber
threats and challenges, and then work to address them, their businesses
will suffer. Cyber security is a leadership issue now!"

This past January, the FBI issued a report warning U.S. retailers to expect
more cyber attacks and detailed just how vulnerable the $5 trillion
industry is to cyber data theft. Data theft is considered the number one
threat to U.S. retailers.

"Payment data stored on all retail IT systems is hacker friendly. The
objective is to close as many loopholes in the systems as possible.
Michaels, Neiman Marcus, Home Depot, P.F. Changs and Target are vivid
examples of hacker exploitation. No entity is bullet proof against the
onslaught of cybercriminals," says Tom Malatesta, CEO of mobile security
data company Ziklag Systems.

But closing the loopholes can be a challenge, as most merchants' POS
platforms are still operating on out of date Windows XP software. Software
updates and malware prevention is not enough to stop sophisticated hackers.

Mark Tanner is co-chair of the FBI's Infragard Cyber Security Special
Interest Group (Cyber SIG) and former Director of the FBI's Foreign
Terrorist Tracking Task Force. Tanner, tells the NADCS Total Expo,
companies must assess and continually test their systems. "Cyber threats
are constantly evolving and increasingly complex. When most companies find
their security has been breached, they find it occurred more than a year
ago. Defense-in-depth strategies need to be employed to minimize damage and
mitigate risk."

Point of sales systems aren't the only vulnerability says Paul Calatayud,
SureScripts Chief Information Security Officer. Data transfer and cloud
storage are also hacker access points. "A holistic security strategy is
built on the understanding of where your critical data lives: both at rest
and in transit."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!