WannaCry, Petya, Heartbleed: Keeping track of the growing list of global cyberattacks is like playing the video games “Space Invaders”or “Galaga,” in which you try to shoot down pixelated aliens before they crush you.
Cyberattacks, however, are a real threat, aimed at entire companies and governments. A recent report from the Ponemon Institute, an independent online-security research firm, says business victims of cybercrime in the United States paid more than those in any other country, with an average of $17.36 million per organization.
In cyberwarfare, there are multiple fronts to defend. Ransomware cyberattacks hold troves of data for ransom. Malware data breaches of point-of-sale (POS) systems siphon off customer credit-card information to sell on the black market. Defending against these digital strikes is no simple matter, and it means going beyond the occasional security-software update.
While security threats such as pump skimmers grab much of the industry’s attention, cybersecurity is growing more important as attacks become more frequent and sophisticated.
“It’s a danger … for the convenience-store industry simply because it’s a vulnerability for anyone with a point-of-purchase or credit-card transactions,” says John Browning, partner and shareholder with Passman & Jones, Dallas.
Browning has spent more than 20 years as a lawyer specializing in data privacy and network security. In his experience, employees are the biggest potential liability for cyberattacks.
“A lot of this, in terms of the underlying source,” he says, “is either employee negligence or employees clicking on an emailed link and giving various persons access.”
Phishing—the practice of emailing malicious links as a way to gain access to a company’s network—is how Russia allegedly hacked into the Democratic National Committee servers; many businesses, ranging from Target to Google, also have been victims.
Businesses should also pay attention to the potentially virus-laden personal computers and mobile devices employees bring to the office. Browning advises companies to adopt personal-device policies for the workplace.
POS systems’ susceptibility to data breaches from malware has caused headaches for companies from Chipotle to Home Depot. There were 1,093 recorded data breaches involving more than 36 million customer records in 2016 alone, according to the Identity Theft Resource Center. Because many data breaches go unreported, there were likely many more.
Ruston Miles, chief innovation officer and founder of Bluefin Payment Systems, Atlanta, describes malware as “evil software” placed in the POS. The software can go undetected, siphon off consumer data that passes through the POS and send it back to the hacker. The hacker can then either sell the data or use the victims’ bank accounts to make purchases.
“Malware is overwhelmingly the most attributable factor to these breaches,” says Miles. The solution is point-to-point encryption (P2PE), which converts data into a code to prevent unauthorized access. This process is referred to as “devaluation,” because it devalues the data. “That way, if the hackers put malware in and they get in there, all they’re going to get is useless data. They can’t go sell it. It’s encrypted data that they can’t get at.”
Point-to-point signifies that the data stays encrypted from payment-card acceptance to payment processing.
While encryption is a proven method of defending consumer data in POS systems from malware, retailers should check that their encryption product or service is validated by the PCI Security Standards Council, a global forum on security standards for account data protection.
One huge hurdle in building a solid cybersecurity plan is that cybercrime is an ever-evolving problem.
“You’re on the run constantly, and you’re also trying to anticipate the next threat,” says Browning.
One emerging cybersecurity threat is from smart devices that connect to the internet, also known as the internet of things (IoT).
IoT offers retailers a chance to transform the shopping experience, with everything from intelligent endcaps to in-store tracking and beacons, to self-checkout and mobile checkout integrated into the shopping experience. But devices harnessing the technology could become a crippling cybersecurity liability unless they are built with security in mind, says Miles of Bluefin.
The problem is that there is no standard or governing body dictating how these devices are built, he says, which could encourage IoT manufacturers to cut corners when it comes to security. “If they take their device and think of all of the different ways that they can get payments to go through it, that’s only going to make things worse, because now we’re going to have more devices with sensitive data to protect, and some of these devices may not have a full security system,” says Miles.
The damage that can be done through unsecure IoT devices was on display last October when more than 100,000 video surveillance cameras connected to the internet were hacked and used to halt the operation of internet service provider Dyn. Hundreds of highly trafficked sites, including Twitter, Reddit, Amazon and Spotify, were offline for hours.
Miles thinks the smarter route would be to designate IoT devices as authentication points, allowing phones or other secure POS sites to process the payment while the IoT devices simply confirm purchases without financial data passing through them.
As more businesses become victims of malware-related data breaches and other cybercrimes, Miles predicts that eventually “someone will stand up, either the brands or the PCI Council, and say P2PE is no longer optional, it’s just a requirement.”
Until then, retailers must fend off each security threat as it comes. But just as in those alien video games, there’s a more powerful enemy waiting in the next level, almost guaranteed to be more difficult to fend off.
Cybercrime Response Team … Assemble!
While encryption and security software are critical defenses, retailers still need a plan in case they are the victim of a data breach or cyberattack.
“Imagine being the CEO who gets the call at 2 a.m., or the inhouse counsel who’s then waking up outside counsel,” says Browning. “Believe me, I’ve gotten the panicky phone calls and it’s no fun.” The best way to avoid this nightmare scenario, he says, is to designate a cybercrime response team and be ready with a crisis communication plan.
The tech doctors: IT employees will help diagnose and resolve the infection.
The investigators: Lawyers will be able to determine what information is at risk and should have knowledge of what the federal and state government requires of cybercrime victims.
The public face: Communications or public relations will manage the message going out to the public and shareholders.
The message: Retailers should have a template notification letter ready, because state laws vary widely on who needs to be notified of a data breach or cyberattack and how quickly the message needs to go out.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.