Retailers to establish center to deal with cyber threats
The National Retail Federation (NRF) announced on Monday it plans to establish an Information Sharing and Analysis Center (ISAC) to provide retailers with information on cyber security threats identified by other merchants, the government, law enforcement and financial services firms.
The new program, which is scheduled to launch in June, is being developed in consultation with the Financial Services Information Sharing and Analysis Center (FS-ISAC).
"We believe a heightened and well coordinated information sharing platform such as a retail ISAC is a vital component for helping retailers in their fight against cyber attacks," said Matthew Shay, president and CEO of NRF, in a statement.
"As an industry, it is critically important that we continue to work together and identify problems while providing solutions that prevent criminal hacking and the resulting data breaches," said Cy Fenton, senior vice president, information technology (CIO) at Books-A-Million and chairman of the IT Security Council, a sub-committee of the NRF CIO Council. "The safety and security of our customers unites retailers large and small, and information sharing is one of several important steps we are taking in order to achieve this mission critical goal."
Retailers have been under pressure from Congress to take action following the data breaches at Target and Neiman Marcus that exposed tens of millions of customer records to data thieves. In February, Senators Mark Warner (D-VA) and Mark Kirk (R-IL) wrote a letter to the Federal Trade Commission calling on the retail industry to establish an information sharing body.
Discussion Questions
Will the creation of the Information Sharing and Analysis Center by the NRF help retailers, financial institutions and law enforcement deal more effectively with cyber security threats? What do you see as the biggest cyber security issues the ISAC will need to address when it launches in June?
ABSOLUTELY.
It’s hard to say where they should start. In fact, I’d like to say establishing standards for the retention of customer data, but the way things have been going, by June there will be new issues to tackle.
Three cheers for the NRF for doing the right thing here!
Any steps that retailers can take to make customer data more secure are steps in the right direction. The ability to collect and disseminate information about security breeches will help retailers and build consumer confidence.
The problem is that once threats are identified, retailers need to spend the money to fix or prevent them. Target had all the tools necessary to prevent and then minimize the impact of its security breech. Its own people and systems failed.
Retailers need to spend the money necessary to minimize data breeches, and once threats are discovered, retailers take immediate action to fix them. That’s going to be the biggest hurdle for the ISAC.
Improved communication, development of crisis protocols, etc. is generally always good (or at least as good as the quality of those communications and protocols).
On the other hand, some of the breaches in security come from the “allies” in this effort, i.e., the government and law enforcement. There is a point where national security and retail security are potentially in conflict after all.
Finally, ancient Chinese military leaders developed two strategies to deal with the constant invasion of the country’s northern barrier by forces they saw as barbarians. Translated, these strategies are: “Send a barbarian to check the barbarian”; and “Send a barbarian to kill the barbarian.” In other words, they recognized that as “civilized” warriors, they were out of position to effectively deal with “barbarian” hordes who didn’t play by their rules.
So … a modest suggestion would be for the NRF’s Sharing and Analysis Center might be to get ahead of potential problems by hiring an army of young, anarchistic hackers.
The right idea is to keep the horse from running out of the barn in the first place. Far superior to putting a GPS tracker on him so you can trace where he’s run to.
NRF should indeed do this. I hope retailers sign on and candidly share information that protects the shopper. Having had two experiences with breach, I’ve eliminated (mostly) shopping at two retailers I like. I hope I don’t have to continue to think about a credit card breach every time I go shopping.
As I stated in my comment on March 6 when we discussed “Target CIO resigns, chain to look outside for IT leadership”:
“I believe what is needed is a national retail task force with some of the best and brightest minds in internet security to come together to implement strategies that make it much tougher for criminals to penetrate. Expecting that this will not happen again is wishful thinking and not very practical. Expecting one retailer to have the answer is also wishful thinking. We need the A-team on this one.” Glad they came to the same conclusion.
Expecting one retailer to solve this problem is unrealistic. Retailers have their day job and unfortunately, cyber security is not at the top of the list, even though it should be. Retailers need to realize that like it or not, they are in the technology business in order to survive and thrive in the 21st century. What is the biggest issue? Giving shoppers confidence that the retailers they do business with have their back when it comes to handing over their credit card. Let’s start there and the rest will start to fall into place.
Information sharing is a great first step across the industry. Also need individually to:
Cyber data mining and system software attacks are far beyond hackers. This isn’t to say there isn’t a good number of independents and small autonomous groups out there that are having a go at it because there is. These small groups are much more a nuisance than a high level threat. The real problem comes from a well funded collection of criminals that are willing to pay for the mined data and use the information or system interruptions for a profit. In order to deal with a highly organized well equipped group one needs to close the windows of opportunity and/or shut down the money supply. Shutting down a world wide supply of money is certainly a no win scenario but adding to the costs is not.
Minimizing the opportunity for outside interruptions and locking down outside and internal theft potential is a goal with promise. This option should be a constant investment in improvements using the latest proven technologies and methodologies the market can cost effectively offer. Creating a central information and standards organization will invite the unwanted to see for themselves exactly where the walls and traps are. At the same time it will slow the opportunity for improvements by adding to the test and approval times for new product aimed at reducing new threats. In short you do not want someone telling everybody what you can and cannot do.
It will help in any case with information sharing among retailers which sometimes can be hard given competitive situations. In terms of how it will help with technology implementation, that would depend on how retailers take themselves seriously on the subject.
Just think of the heartache we might have avoided if this had been created 15 years ago, as some of us suggested…but this is a good move, and will do good things.
This is what trade associations should be doing – helping their members resolve a problem shared by all, that doesn’t diminish competitiveness. The NRF tries to represent all retailers, but there are other associations that claim their own pockets of retail (I am thinking food/non-food). It will be nice to see how this evolves and becomes inclusive.
Information Sharing and Analysis Centers are a proven tool in the fight against cyber crime. Members of the ISAC can share threat intelligence about the tactics, tech, and procedures that are discovered in near real-time.
Without an ASIC framework, it can be hard for security pros to share information for fear to disclosing tactics to other criminals. Most ASICs also have a provision for sharing info anonymously, so that members can share information without risk of it adversely effecting their business.
This type of information share is critical because so many cyber criminals use the same tools and tactics to assault multiple targets. Once an attack is recognized, if its fingerprint can be efficiently shared, it can be much easier to defend.
All the tools used in the Target breach were already in the wild well before they were used against Target. Had Target had access to a retail-specific ASIC, it may well have given them the info they needed to defend themselves proactively.
All I can say is that it is great that an industry trade organization is taking this on. The challenge is that NRF is 90+% U.S.-based and we need a global effort for this. Also, several other global entities need to participate, including financial institutions, and even governments, etc. Continued threats against hacks will drive the need for consistent evolution of security measures. Once standards finally get in place throughout the industry, all parties must ensure continued threat updates.
I’m all for improved communications, etc., but will this ensure that retailers are compliant? This has been an ongoing – because it’s costly – issue.
What we don’t need is another layer of bureaucracy that retailers must contend with. I’m not assuming or supposing that this is what the ISAC will be, but I am throwing out the caution.
The one thing retail can use right now is a team of uninvested players who can stay abreast of cyber security, what the threats are, how to mitigate risks, objectively investigate parties looking to get into this space. All the usual things.
Retailers need a light in the dark with direction finders along the way, and that is my 2 cents!
First, cyber security has slowly grown to be one of the most important issues in business and government today. In fact, there are some that believe that cyberspace is the next theatre of exposure for national defense and overall security. For retail, this is absolutely the right thing to do and is required to provide the right forum for visibility and best practice sharing as well as the ability to combine efforts to influence other organizations at local, federal and global level.
As retailers drive greater personalized value and service, it will be critical that the information they gather and use for such personalization is protected at the same level as payments, cash, and other high risk physical assets. Customers will expect this level of protection and will start choosing to not do business with retailers who aren’t perceived as protecting this information.