Any business selling products and services has had a harsh year in regard to cybersecurity. The abundance of threats combined with the ubiquity and scale of data breaches is enough to cause every organization’s chief security officer to worry. After all, no company wants to be the latest headline, as cyberattacks are often costly affairs. While taking preventative measures seems like the best route, it is also important for businesses to learn about the cyber threat landscape as well as educate their employees on the dangers in an industry that cybercriminals like to target.
In fact, the cybersecurity environment is one that is constantly evolving, making it even more critical to stay up to date on the latest news and threats. For example, IBM Managed Security Services recently conducted a study that determined retail breaches are actually down 50 percent when compared to incidents that occurred two years ago. While that might sound reassuring, that is hard to hear for many with less than stellar security measures.
“While the number of incidents dropped by half since early 2013, the number of records compromised in the past year rose by 43 percent.“
According to IBM, cybercriminals are just getting better at what they do, as evidenced by the sophistication demonstrated in attacks as recent as the Chick-fil-A debacle. Attempts to steal critical corporate data and consumer information are more efficient than ever, which does not bode well for many retailers after this holiday season. Because of the increased sophistication in attacks, organizations could have no idea that data is currently being stolen and moved to databases overseas. While the number of incidents dropped by half since early 2013, the number of records compromised in the past year rose by 43 percent over the same time frame, the source calculated.
What is to blame?
The best practices in regard to cybersecurity involved education on the current forms threats are taking. Unfortunately for retailers, the main method of cyberattack in the U.S. since 2005 is hacking or malware, according to the IBM report. After that, portable device loss or theft tops the list, followed by local intrusion on stationary systems. This is bad news because technically speaking, all three of those methods are preventable.
While many might point the finger at newsworthy threats such as Shellshock and POODLE, IBM’s findings stated that Command or SQL injection are the primary technique for stealing data from retailers in the past year. In that case, the blame falls on complex SQL deployments and a lack of data validation on the victims’ side. Some security administrators are just not paying enough attention to their systems.
Shellshock is still to blame for a handful of attacks throughout 2014, most likely due to patches coming too late, but some threats are not as well-known. In fact, the ubiquity of point-of-sale malware causes many systems to become infected, sending data right into the hands of cybercriminals. IBM listed the most popular forms that POS malware can take:
- BlackPOS: This malware was responsible for the breach at The Home Depot, according to the source. BlackPOS scans systems looking for credit card data and adds what is found to a file, which is then uploaded to a cybercriminals database server.
- Dexter: Discovered in 2012, this Trojan leverages HTTP communications to send stolen card data.
- Vskimmer: Similarly to other POS malware, this only looks for track 2 formatted data. However, Vskimmer is unique in its ability to send information to a USB device if there is no Internet connection.
- Alina: This form of malware can steal and upload data, but it also can download and update itself, making it a formidable foe even if systems are frequently patched and not wiped clean.
- Citadel: Instead of seeking out credit card information, this crimeware kit tracks users’ Web activity, keystrokes and details on installed software. Then, botnet operators can steal that data or take screenshots.
Of course, many of those threats sound very dangerous if they end up on an organization’s servers or POS terminals, but there are steps to take that can mitigate the chance of becoming a victim. The Federal Communications Commission recommended some tips, including helpful hints such as using validated tools and software to isolate payment processing systems from other programs and computers and limiting employee access to that set of data. Additionally, organizations should set up firewalls and educate staff members on the importance of changing passwords and logging off machines when they aren’t around.
However with the do’s, there are also a lot of actions that businesses need to avoid taking such as not storing any irrelevant information of customers. Also, no payment card data should exist on any unprotected machines, and no login information should be written down anywhere or stored in insecure folders. Equally important to ensure that data centers and servers are not open to all employees. Essentially, all critical data should be under lock and key.
No organizations want to be a headline, but with some education and security tools, consumer information can stay safe.
Can you afford to NOT enhance cyber security?