Thales Blog

Can Retail Learn Lessons In Cybersecurity By Looking To Logistics?

September 9, 2014

Tina Stewart Tina Stewart | VP, Global Market Strategy More About This Author >

Target, eBay, Michaels, Neiman Marcus, P.F. Chang’s, Home Depot and SuperValu.

According to the Identity Theft Recourse Center Breach Report which presents individual information about data exposure events and running totals for the year, 2014 has seen 521 breaches in total with more than 17 million (17,829,689) records exposed.This number represents more than a 30 percent increase over the same time period last year (400 breaches). Frankly, it’s fair to say that the focus is now when and how will your company get breached, not if your company will be breached.

With such a large impact on customer confidence, recent credit card breaches have prompted retailers everywhere to accelerate efforts around securing electronic payments and protecting sensitive customer data. In fact, according to The Washington Post, as of February, Target spent $61 million to pay for legal fees, software updates, customer reimbursement and credit monitoring, and other costs due to failure in cyber security. The company was also hit with more than 140 lawsuits, its CEO resigned and lastly, the company’s profit dropped almost 50 percent in last year’s fourth fiscal quarter and fell by more than a third for all of 2013.

ClickToTweet: Following recent retail cyberattacks @Vormetric discusses the need for heightened security in the industry.

Finding a solution

To address security vulnerabilities in recent data breaches of major U.S. retailers that left tens of millions of Americans vulnerable to identity theft and credit card fraud, senators introduced for the first time, the Data Security and Breach Notification Act. Creating a federal standard for companies to safeguard personal information and notify consumers if their systems are breached, the Data Security and Breach Notification Act created the following mandates:

  1. Provide security standards for databases. The FTC would be required to develop robust but flexible rules that require businesses that possess consumers’ personal information to adopt reasonable security protocols to protect information from unauthorized access.
  2. Establish strong breach notification requirements. These requirements would allow all potentially affected customers to take steps to protect themselves from identity theft and other crimes.
  3. Increase the use of technology to combat hackers. Businesses would have incentives to adopt state of the art technologies that would render consumer electronic data unreadable or unusable in the case of a breach.
  4. Strengthen law enforcement. Breached companies would be required to notify a central, designated federal entity (established by the Department of Homeland Security), which would in-turn notify other relevant law enforcement and government agencies of the breach. The bill would impose civil penalties for violations of the law as well as criminal penalties on corporate personnel that deliberately conceal a data breach.

Looking to forward thinking transportation leaders

Con-way, Inc, a leader in the transportation and logistics industry, has over 28,500 employees and generated $5.6 billion in freight and logistics service revenues in 2012. With over 500 operating locations spread across North America and another 20 countries spanning five continents, the company handles a large volume of personally identifiable information (PII) for customers around the world. However, its role as a provider of transportation services gives the company some unique and valuable perspectives.

While not just dealing with large volumes of data but a significantly further complicated environment by the use of multiple partners, managed services, cloud services, etc., Con-way focused on identifying a consistent way to manage keys and establish a standard workflow to securely deposit and retrieve the keys as needed.

Con-way’s Senior Director of IT Infrastructure Praveen Sharabu understood the magnitude of the situation, noting that “it’s imperative for us to be able to secure all the information with which we’ve been entrusted: Without this trust, we don’t have a business.”

The company focused on identifying a consistent way to manage keys and establishing a standard workflow to securely deposit and retrieve the keys as needed. Ultimately Con-way transitioned to a single integrated solution for data encryption and key management to secure their diverse set of structured and unstructured data across the environment. The encryption appliances didn’t impose any noticeable latency on application performance and ultimately ensured the transportation company that data collected would remain secure.

Protecting Data-at-Rest from Data Breach Notification Requirements

Data breach notification requirements on loss of personal information have increasingly been enacted by nations around the globe as well as by US State governments (all but New Mexico, Alabama and South Dakota). These requirements vary by jurisdiction, but almost universally include a “safe harbor” clause if the data lost was in encrypted form. National laws include the UK Data Protection Act, EU Data Protection Directive 1995, EU ePrivacy Directive, South Korea’s Personal Information Protection Act, Australian Privacy Act and others.

A data-centric focus on preventing the loss of personal information requires:

  • Encryption of personal data wherever it resides
  • File systems databases, Web repositories, cloud environments, big data environments and virtualization implementations.
  • Policy-based access controls to assure that only authorized accounts and processes can see the data
  • Monitoring of authorized accounts accessing data, to ensure that these accounts have not been compromised

Facing the reality

The reality is the threat landscape is constantly changing and as a result, keeping corporate systems and the data they hold safe for the people who have the most urgent need for access has never been such a significant challenge. Highly publicized data theft forcefully confirm the need for better and more inclusive security solutions. Regulatory and compliance issues, alongside the requirement for companies to protect themselves from brand damage and revenue losses, drive the requirement to provide better protection. All in all, organizations remain vulnerable and need to do more to deal with the wide range of threats. Providing encryption and integrated key management for sensitive data assets ensures that only authorized users can get in. Coupled with a security intelligence layer which identifies new threats, highlights security deficiencies and monitors user interactions, organizations’ security practices can ultimately be helped instead of hindered.