Target Breach May Spark Action
Speaker at Conexxus technology event says crisis may open doors to discussion
TUCSON, Ariz. -- "Never let a good crisis go to waste," said Rick Dakin, referring to last winter's highly publicized breach of department-store giant Target.
Saying that high-profile incidents often get higher-level executives to listen to technology issues, the CEO of Coalfire Systems, a data security consultancy and auditing firm based in Louisville, Colo., suggested that the time to bring up the topic of data security is now.
"A lot of people say, 'My boss doesn't get it,'" Dakin said. "You can take advantage [now] of their active listening. This is the time not to overstate the matter, but to frankly discuss the risks."
Dakin spoke at the recent Conexxus (formerly the Petroleum Convenience Alliance for Technology Standards, or PCATS) conference in Tucson, Ariz., which attracted about 150 attendees to its standards-development and educational sessions.
Addressing data security specifically, Dakin said any number of issues beyond the Target breach should be on retailers' minds. One of those concerns is a new trend by hackers to steal people's social security numbers and file fraudulent tax returns, with victims facing two-to-three years of working with the Internal Revenue Service (IRS) to reclaim their money.
Many different technologies and the systems that tie them together represent a growing number of opportunities for hackers to steal personal information and initiate fraud, he said. "Telematics" or the ability to unlock and start cars with passwords or voice commands, satellite networks, mobile phones and data centers can all be fallible, as the sophistication of data thieves grows.
A common technique used to breach systems is thieves cleverly obtaining administrative access codes. Sometimes it's a simple matter of a hacker posing as an employee, waiting in a bathroom stall and then emerging when a receptionist is away from his or her desk.
Current marketing tools allow salespeople access to customers' home addresses and other personal information, in an attempt to better provide better service. But those programs allow access to people's data profiles, maybe not credit-card information but enough data for a thief to start a fraudulent action.
Third parties can pose a major threat to security, too. Many of those companies are less secure than the client firm, and yet are still often allowed into the client's systems to do their contracted jobs.
Unfortunately, as the industry has moved to compliance with major credit-card standards, also known as Payment Card Industry or PCI standards, many retailers have allowed their data security routines to lapse into quarterly or annual "checklists."
Dakin suggested that retailers have to assume a more proactive role and make data security an ongoing, daily part of their employee's routines.
One of the first questions he suggested retailers ask themselves is, "Do I already have a breach?"
Such an exercise pushes a retailer to investigate his or her systems, review store-level routines and scrutinize the activities of suppliers and employees who surround the business.
"Let's take a forensic look for malware and data breaches," he suggested. "You don't want to have a negligence claim brought against you and people asking, 'What were these guys doing?'"
For more articles on technology and data security, look to the May issue of CSP magazine.