This week the blog will be focusing on risk analysis and assessments.
The basic definitions of risk analysis and assessment are the identification of levels of risk in an organization, and the process that assigns them scores/ratings to enable an organization to implement anticipate, mitigate, and control for threats to their organization, respectively. Given the abundance of retail attacks in the last decade, it is safe to assume merchants worldwide would benefit from further risk management in their organizations.
Put simply, the retail sector would benefit tremendously from increasing their risk management. The first steps would be to categorize assets including hardware, software, and personnel. From there, you would give each asset a value - for example, the highest asset value could be POS software. For instance, if a DDoS attack were to occur on this type of asset, it could result in a compromise of valuable customer information, and loss of money/business for the duration of the outage. With this information you would also combine any threat identification known to your particular business, goods, or even geographical location. It would also be beneficial to identify the likelihood a threat would/could occur, and the frequency with which it happens.
There are obvious inherent risks and threats in any industry, however the retail sector has been hit the hardest as of late. The tide might be turning in favor of other industries - those for which cyber criminals gain access to health information, or hack companies for 'fun' or political motivation (see Anthem, or Sony for example). But the pervasive threat facing the consumer world is abundant. Mitigating these threats through proper risk assessment, analysis, and management is crucial to maintaining this industry.
- Angie
Tuesday, April 28, 2015
Wednesday, April 22, 2015
Security Controls
Happy Wednesday, Blog Readers
Today the focus of the blog will be on security programs: what they are, and how they can aid in businesses and merchants from internal and external threats to the confidentiality, integrity, and availability of their sensitive and non-sensitive data.
We, as the consumers, should expect a level of data confidentiality when making purchases from say, a pharmacy. Our medical information should not be shared with anyone without our consent - likewise, if making a purchase in a clothing or retail store, you would also expect the same level of privacy for important data like credit card information, or when applicable social security card information. What information can and should be shared with an organizations employees?
There are different levels of security for data, depending on how it is classified. In the current days of "big data", our shopping and consuming habits are being categorized, monitored, and analyzed by companies for various reasons. Ever notice the ads on certain websites are tailored just for you? Your browsing habits are being turned into data and statistics, to increase the likelihood you will purchase a product or revisit a site. This type of data is not currently categorized as highly sensitive (although it is a big off putting, no?), so the data I'm referring to would be highly sensitive: credit card information, social security number, and the like. There are certain security controls an organization can implement to ensure this data is not easily viewed by someone without authorization and access.
For example, an organization can and should secure highly sensitive data from those without authorization, be it physical or logical. Access control refers to the identification of the person, authentication, authorization, and accountability. There should be schemes in each business to determine who can and cannot access highly sensitive data - some might find that certain employees will have "read-only" privileges to not alter or delete data, while other more sensitive information can only be viewed by a high ranking member, like a manager.
Implementing the proper security controls further ensures our data maintains safe and secure.
- Angie
Today the focus of the blog will be on security programs: what they are, and how they can aid in businesses and merchants from internal and external threats to the confidentiality, integrity, and availability of their sensitive and non-sensitive data.
We, as the consumers, should expect a level of data confidentiality when making purchases from say, a pharmacy. Our medical information should not be shared with anyone without our consent - likewise, if making a purchase in a clothing or retail store, you would also expect the same level of privacy for important data like credit card information, or when applicable social security card information. What information can and should be shared with an organizations employees?
There are different levels of security for data, depending on how it is classified. In the current days of "big data", our shopping and consuming habits are being categorized, monitored, and analyzed by companies for various reasons. Ever notice the ads on certain websites are tailored just for you? Your browsing habits are being turned into data and statistics, to increase the likelihood you will purchase a product or revisit a site. This type of data is not currently categorized as highly sensitive (although it is a big off putting, no?), so the data I'm referring to would be highly sensitive: credit card information, social security number, and the like. There are certain security controls an organization can implement to ensure this data is not easily viewed by someone without authorization and access.
For example, an organization can and should secure highly sensitive data from those without authorization, be it physical or logical. Access control refers to the identification of the person, authentication, authorization, and accountability. There should be schemes in each business to determine who can and cannot access highly sensitive data - some might find that certain employees will have "read-only" privileges to not alter or delete data, while other more sensitive information can only be viewed by a high ranking member, like a manager.
Implementing the proper security controls further ensures our data maintains safe and secure.
- Angie
Tuesday, April 14, 2015
Cyber Security Education and Training
This week's blog post will focus on cyber security, and information security training and education.
Given the abundance of cyber criminal activity, the retail sector is at a particularly vulnerable disadvantage as of late. While most organizations have security training in place for employees, the retail corporation's reluctance to implement security controls to mitigate and prevent attacks has been well documented. This lack of "action" is usually blamed on lack of funds, or an inability to budget wisely for InfoSec measures. Perhaps these companies need to take a closer look at the budget, and the information they are disseminating to employees and shoppers, or lack thereof.
InfoSec training is crucial to the overall security health of an organization. Teaching employees about proper safe guards can combat inappropriate or risky behavior that can leave an organization at risk for exposure. There are a few ways companies can engage their employees in InfoSec training: videos, posters, banners, and quarterly newsletters. It is important for each member of the organization to know they are responsible for IT security, and their actions will be held accountable.
Last year, Target corp announced they would be spending an additional $5 million dollars on a cyber security coalition to educate their employees and the public on the dangers of phishing, cyber crime, and consumer scans. Although this measure was touted as a PR move to "save face" with customers (given the 100 million data breach), the steps necessary to prevent a future cyber attack include proper training and education. Making the commitment to spend the additional funds in this manner shows Target takes cyber education and prevention of attacks very seriously.
Hopefully other retailers take note, and invest wisely.
- Angie
Given the abundance of cyber criminal activity, the retail sector is at a particularly vulnerable disadvantage as of late. While most organizations have security training in place for employees, the retail corporation's reluctance to implement security controls to mitigate and prevent attacks has been well documented. This lack of "action" is usually blamed on lack of funds, or an inability to budget wisely for InfoSec measures. Perhaps these companies need to take a closer look at the budget, and the information they are disseminating to employees and shoppers, or lack thereof.
InfoSec training is crucial to the overall security health of an organization. Teaching employees about proper safe guards can combat inappropriate or risky behavior that can leave an organization at risk for exposure. There are a few ways companies can engage their employees in InfoSec training: videos, posters, banners, and quarterly newsletters. It is important for each member of the organization to know they are responsible for IT security, and their actions will be held accountable.
Last year, Target corp announced they would be spending an additional $5 million dollars on a cyber security coalition to educate their employees and the public on the dangers of phishing, cyber crime, and consumer scans. Although this measure was touted as a PR move to "save face" with customers (given the 100 million data breach), the steps necessary to prevent a future cyber attack include proper training and education. Making the commitment to spend the additional funds in this manner shows Target takes cyber education and prevention of attacks very seriously.
Hopefully other retailers take note, and invest wisely.
- Angie
Friday, April 10, 2015
RILA CyberSecurity and Data Privacy Initiative
This week's blog post is similar to last weeks - with a focus on cyber security policies and procedures. The Retail Industry Leader's Association (RILA) has their own cyber security and data privacy initiative which seeks to educate and advise retailers in preventing attacks, enhance existing privacy and cyber security efforts, inform the public dialogue, and build & maintain consumer trust.
Some of the highlights in the initiative include extending the dialogue to the systems 'outside' the retail control - like banks and card issuers to improve payments security. In particular, RILA would like the industry to move towards Universal PIN security, chip-based smart cards (i.e. EMV Chip Cards), and elimination of the mag stripe. Updating these systems would ensure better secure transactions at retail locations. I also believe this conversation needs to extend to the companies providing POS software and hardware to retailers. Every angle has to be accounted for if you are actively preventing cyber attacks.
As RILA points out:
"Unlike attacks on non-consumer facing industries that seek proprietary corporate information, cyber attacks on retailers are aimed at sensitive consumer financial data that can be used for financial gain. The number of those potentially affected in a successful attack is staggeringly high. Such a breach can affect consumers’ faith in the system and can damage the relationship that all retailers seek to build with their customers."
- Angie
Some of the highlights in the initiative include extending the dialogue to the systems 'outside' the retail control - like banks and card issuers to improve payments security. In particular, RILA would like the industry to move towards Universal PIN security, chip-based smart cards (i.e. EMV Chip Cards), and elimination of the mag stripe. Updating these systems would ensure better secure transactions at retail locations. I also believe this conversation needs to extend to the companies providing POS software and hardware to retailers. Every angle has to be accounted for if you are actively preventing cyber attacks.
As RILA points out:
"Unlike attacks on non-consumer facing industries that seek proprietary corporate information, cyber attacks on retailers are aimed at sensitive consumer financial data that can be used for financial gain. The number of those potentially affected in a successful attack is staggeringly high. Such a breach can affect consumers’ faith in the system and can damage the relationship that all retailers seek to build with their customers."
- Angie
Subscribe to:
Posts (Atom)