[Image of: RetailWire Logo and Tagline (for print)]

BUSINESS TIPS

ChannelAdvisor:
Online Selling Strategies
RR Donnelley:
In-Store Marketing
LoyaltyOne:
Enriching Customer Relationships
 
[14 comments]

Retailers to establish center to deal with cyber threats

April 16, 2014

The National Retail Federation (NRF) announced on Monday it plans to establish an Information Sharing and Analysis Center (ISAC) to provide retailers with information on cyber security threats identified by other merchants, the government, law enforcement and financial services firms.

The new program, which is scheduled to launch in June, is being developed in consultation with the Financial Services Information Sharing and Analysis Center (FS-ISAC).

"We believe a heightened and well coordinated information sharing platform such as a retail ISAC is a vital component for helping retailers in their fight against cyber attacks," said Matthew Shay, president and CEO of NRF, in a statement.

"As an industry, it is critically important that we continue to work together and identify problems while providing solutions that prevent criminal hacking and the resulting data breaches," said Cy Fenton, senior vice president, information technology (CIO) at Books-A-Million and chairman of the IT Security Council, a sub-committee of the NRF CIO Council. "The safety and security of our customers unites retailers large and small, and information sharing is one of several important steps we are taking in order to achieve this mission critical goal."

Retailers have been under pressure from Congress to take action following the data breaches at Target and Neiman Marcus that exposed tens of millions of customer records to data thieves. In February, Senators Mark Warner (D-VA) and Mark Kirk (R-IL) wrote a letter to the Federal Trade Commission calling on the retail industry to establish an information sharing body.

Discussion Questions:

Will the creation of the Information Sharing and Analysis Center by the NRF help retailers, financial institutions and law enforcement deal more effectively with cyber security threats? What do you see as the biggest cyber security issues the ISAC will need to address when it launches in June?

While we value unfettered opinion, we urge you to show respect and courtesy for people or companies about whom you comment. Keep in mind that this is a public, professional business discussion. RetailWire reserves the right to edit or refuse the publication of remarks that we deem unsuitable. We may also correct for unintended spelling and grammatical errors.

Instant Poll:

How effective do you expect the Information Sharing and Analysis Center being launched by NRF to be in helping retailers address cyber security threats?

Comments:

ABSOLUTELY.

It's hard to say where they should start. In fact, I'd like to say establishing standards for the retention of customer data, but the way things have been going, by June there will be new issues to tackle.

Three cheers for the NRF for doing the right thing here!

[Image of: View Braintrust Panelist button]
Paula Rosenblum, Managing Partner, RSR Research

Any steps that retailers can take to make customer data more secure are steps in the right direction. The ability to collect and disseminate information about security breeches will help retailers and build consumer confidence.

The problem is that once threats are identified, retailers need to spend the money to fix or prevent them. Target had all the tools necessary to prevent and then minimize the impact of its security breech. Its own people and systems failed.

Retailers need to spend the money necessary to minimize data breeches, and once threats are discovered, retailers take immediate action to fix them. That's going to be the biggest hurdle for the ISAC.

[Image of: View Braintrust Panelist button]
Max Goldberg, President, Max Goldberg & Associates

Improved communication, development of crisis protocols, etc. is generally always good (or at least as good as the quality of those communications and protocols).

On the other hand, some of the breaches in security come from the "allies" in this effort, i.e., the government and law enforcement. There is a point where national security and retail security are potentially in conflict after all.

Finally, ancient Chinese military leaders developed two strategies to deal with the constant invasion of the country's northern barrier by forces they saw as barbarians. Translated, these strategies are: "Send a barbarian to check the barbarian"; and "Send a barbarian to kill the barbarian." In other words, they recognized that as "civilized" warriors, they were out of position to effectively deal with "barbarian" hordes who didn't play by their rules.

So ... a modest suggestion would be for the NRF's Sharing and Analysis Center might be to get ahead of potential problems by hiring an army of young, anarchistic hackers.

The right idea is to keep the horse from running out of the barn in the first place. Far superior to putting a GPS tracker on him so you can trace where he's run to.

[Image of: View Braintrust Panelist button]
Ryan Mathews, Founder, ceo, Black Monk Consulting

NRF should indeed do this. I hope retailers sign on and candidly share information that protects the shopper. Having had two experiences with breach, I've eliminated (mostly) shopping at two retailers I like. I hope I don't have to continue to think about a credit card breach every time I go shopping.

[Image of: View Braintrust Panelist button]
Anne Howe, Senior Vice President, Shopper Solutions, part of Acosta Mosaic Group

As I stated in my comment on March 6 when we discussed "Target CIO resigns, chain to look outside for IT leadership":

"I believe what is needed is a national retail task force with some of the best and brightest minds in internet security to come together to implement strategies that make it much tougher for criminals to penetrate. Expecting that this will not happen again is wishful thinking and not very practical. Expecting one retailer to have the answer is also wishful thinking. We need the A-team on this one." Glad they came to the same conclusion.

Expecting one retailer to solve this problem is unrealistic. Retailers have their day job and unfortunately, cyber security is not at the top of the list, even though it should be. Retailers need to realize that like it or not, they are in the technology business in order to survive and thrive in the 21st century. What is the biggest issue? Giving shoppers confidence that the retailers they do business with have their back when it comes to handing over their credit card. Let's start there and the rest will start to fall into place.

[Image of: View Braintrust Panelist button]
Zel Bianco, President, founder and CEO, Interactive Edge

Information sharing is a great first step across the industry. Also need individually to:

  1. Continuously investment in technology to stay ahead of cyber attacks
  2. Regularly test, review and update processes that involve data handling (human or machine)
  3. Apply the intelligence communities' notion of "compartmented information" so a single breach does not equate to full access to sensitive data

[Image of: View Braintrust Panelist button]
Mohamed Amer, Vice President, Global Integrated Retail Unit, SAP

Cyber data mining and system software attacks are far beyond hackers. This isn't to say there isn't a good number of independents and small autonomous groups out there that are having a go at it because there is. These small groups are much more a nuisance than a high level threat. The real problem comes from a well funded collection of criminals that are willing to pay for the mined data and use the information or system interruptions for a profit. In order to deal with a highly organized well equipped group one needs to close the windows of opportunity and/or shut down the money supply. Shutting down a world wide supply of money is certainly a no win scenario but adding to the costs is not.

Minimizing the opportunity for outside interruptions and locking down outside and internal theft potential is a goal with promise. This option should be a constant investment in improvements using the latest proven technologies and methodologies the market can cost effectively offer. Creating a central information and standards organization will invite the unwanted to see for themselves exactly where the walls and traps are. At the same time it will slow the opportunity for improvements by adding to the test and approval times for new product aimed at reducing new threats. In short you do not want someone telling everybody what you can and cannot do.

'gjarnoldjr'

It will help in any case with information sharing among retailers which sometimes can be hard given competitive situations. In terms of how it will help with technology implementation, that would depend on how retailers take themselves seriously on the subject.

[Image of: View Braintrust Panelist button]
Kenneth Leung, Director of Enterprise Industry Marketing, Avaya

Just think of the heartache we might have avoided if this had been created 15 years ago, as some of us suggested...but this is a good move, and will do good things.

[Image of: View Braintrust Panelist button]
Cathy Hotka, Principal, Cathy Hotka & Associates

This is what trade associations should be doing - helping their members resolve a problem shared by all, that doesn't diminish competitiveness. The NRF tries to represent all retailers, but there are other associations that claim their own pockets of retail (I am thinking food/non-food). It will be nice to see how this evolves and becomes inclusive.

Vahe Katros, Consultant, Plan B

Information Sharing and Analysis Centers are a proven tool in the fight against cyber crime. Members of the ISAC can share threat intelligence about the tactics, tech, and procedures that are discovered in near real-time.

Without an ASIC framework, it can be hard for security pros to share information for fear to disclosing tactics to other criminals. Most ASICs also have a provision for sharing info anonymously, so that members can share information without risk of it adversely effecting their business.

This type of information share is critical because so many cyber criminals use the same tools and tactics to assault multiple targets. Once an attack is recognized, if its fingerprint can be efficiently shared, it can be much easier to defend.

All the tools used in the Target breach were already in the wild well before they were used against Target. Had Target had access to a retail-specific ASIC, it may well have given them the info they needed to defend themselves proactively.

[Image of: View Braintrust Panelist button]
Jason Goldberg, VP Commerce Strategy, Razorfish

All I can say is that it is great that an industry trade organization is taking this on. The challenge is that NRF is 90+% U.S.-based and we need a global effort for this. Also, several other global entities need to participate, including financial institutions, and even governments, etc. Continued threats against hacks will drive the need for consistent evolution of security measures. Once standards finally get in place throughout the industry, all parties must ensure continued threat updates.

[Image of: View Braintrust Panelist button]
Ralph Jacobson, Global Consumer Products Industry Marketing Executive, IBM

I'm all for improved communications, etc., but will this ensure that retailers are compliant? This has been an ongoing - because it's costly - issue.

What we don't need is another layer of bureaucracy that retailers must contend with. I'm not assuming or supposing that this is what the ISAC will be, but I am throwing out the caution.

The one thing retail can use right now is a team of uninvested players who can stay abreast of cyber security, what the threats are, how to mitigate risks, objectively investigate parties looking to get into this space. All the usual things.

Retailers need a light in the dark with direction finders along the way, and that is my 2 cents!

Lee Kent, Brings Retail Executives Together to Meet.Learn.Profit, RetailConnections

First, cyber security has slowly grown to be one of the most important issues in business and government today. In fact, there are some that believe that cyberspace is the next theatre of exposure for national defense and overall security. For retail, this is absolutely the right thing to do and is required to provide the right forum for visibility and best practice sharing as well as the ability to combine efforts to influence other organizations at local, federal and global level.

As retailers drive greater personalized value and service, it will be critical that the information they gather and use for such personalization is protected at the same level as payments, cash, and other high risk physical assets. Customers will expect this level of protection and will start choosing to not do business with retailers who aren't perceived as protecting this information.

[Image of: View Braintrust Panelist button]
Verlin Youd, Principal, VPY LLC

Search RetailWire
Follow Us...
[Image of:  Twitter Icon] [Image of:  Facebook Icon] [Image of:  LinkedIn Icon] [Image of:  RSS Icon]

RetailWire's
Getting Started video!

View this quick tutorial and learn all the essentials...

RetailWire Newsletters