[Image of: RetailWire Logo and Tagline (for print)]

BUSINESS TIPS

IRI:
Shopper-Centric Execution
ChannelAdvisor:
Online Selling Strategies
RR Donnelley:
In-Store Marketing
LoyaltyOne:
Enriching Customer Relationships
 
[4 comments]

Remote access apps a weak link in cyber security efforts

August 1, 2014

Hackers, it turns out, are looking to bring the mayhem with the least amount of work necessary. For many of them, according to a new report from Homeland Security, finding the easy way into a company's database often includes using apps that grant remote access to employees and vendors.

According to the report, hackers scan for remote access apps, use high-speed programs to determine an individual's log-in information, and off they go.

"As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust," Vincent Berq of FlowTraq, a network security firm, told The New York Times.

According to Verizon's 2014 Data Breach Investigations Report (DBIR), there were 1,300 confirmed data breaches across all industries in 2013 with 148 incidents of data loss in retail. Chains including Target, Neiman Marcus, Michaels, Schnucks and Raley's were among those who saw their security breached.

Hackers stole more than 175 million customer records between April and June this year, according to a new SafeNet report. Of those, 145 million were a result of retail industry breaches. Last week, reports surfaced that Goodwill Industries was investigating the theft of customers' credit card data.

A new RetailWire m•Paper sponsored by Junction Solutions, Retail POS Security: Limiting Risk in a Risky Era, offers recommendations for controlling remote access to sensitive data including:

  • Banning unauthorized personnel;
  • Controlling personnel changes: managing credentials when people are hired, change positions or leave a company;
  • Auditing security practices of vendors and partners;
  • Reviewing systems to check for unknown or dormant users;
  • Eliminating weak passwords and requiring passwords be changed on a periodic basis. (Consider using two-factor authentication.)

 

Discussion Questions:

How would you advise retailers to deal with cyber security issues around remote access apps? What other steps other than those offered in the article would you recommend retailers take to deny access to criminals looking to breach their security?

While we value unfettered opinion, we urge you to show respect and courtesy for people or companies about whom you comment. Keep in mind that this is a public, professional business discussion. RetailWire reserves the right to edit or refuse the publication of remarks that we deem unsuitable. We may also correct for unintended spelling and grammatical errors.

Instant Poll:

How well trained are employees and vendor representatives about avoiding having their log-in stolen by hackers?

Comments:

The real challenge is the inside job. All it takes is one employee like Snowden to get high enough clearance. Just like all retail, it's about the people you trust in your organization and how you train, monitor and reward them.

[Image of: View Braintrust Panelist button]
Bob Phibbs, President/CEO, The Retail Doctor

IMHO what we have in this article is the low-hanging fruit of recommendations, i.e., "banning unauthorized personnel" (duh) and having "stronger passwords." The awkward truth is that there are three problems at the heart of the security issue, and all three are self-inflicted wounds:

  • The "cloud" will dramatically increase security risks
  • The BYOD movement will come back to inflict a big hurt on you
  • The pathetic fault-filled state of software

Roger Sessions, the complexity theorist, concludes that fixing the chronic IT problem will restore a TRILLION dollars to the U.S. GDP. It will be well worth the effort with huge rewards in terms of economics, safety, performance and pretty well everything else that drives business today.

[Image of: View Braintrust Panelist button]
Ian Percy, President, The Ian Percy Corporation

The bottom line here is that there are myriad ways to breach every retailer's network, and current data assurance efforts won't be enough.

In dinner event after dinner event this year, I've talked with CIOs and VPs of IT who say that their boards of directors want more evidence that their networks are protected, but are leery of spending more money. The Verizon Data Breach Investigations Report is a terrific resource for retail CISOs who need additional ammunition to justify more investment.

[Image of: View Braintrust Panelist button]
Cathy Hotka, Principal, Cathy Hotka & Associates

A significant percentage of security vulnerabilities pertain to web and mobile applications. To address application security challenges effectively, retail and CPG organizations need to test software and applications across their entire portfolio. They need to assess software code, web and mobile applications for vulnerabilities, as well as automate correlation of static and dynamic application security testing results. Things like "Glass-box testing" a form of Interactive Application Security Testing (IAST), or using a JavaScript Security Analyzer or also a Cross-site Scripting Analyzer will help mitigate security risks. As a cross check, I would highly recommend a security software provider that is ranked in the "Leader Quadrant" in the latest Gartner Magic Quadrant for Application Security.

[Image of: View Braintrust Panelist button]
Ralph Jacobson, Global Consumer Products Industry Marketing Executive, IBM

Search RetailWire
Follow Us...
[Image of:  Twitter Icon] [Image of:  Facebook Icon] [Image of:  LinkedIn Icon] [Image of:  RSS Icon]

RetailWire's
Getting Started video!

View this quick tutorial and learn all the essentials...

RetailWire Newsletters