Seven things retail can teach us all about data security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/11/14/seven-things-retail-can-teach-us-all-about-data-security/

TalkTalk’s Dido Harding isn’t the first CEO to receive advice from cyber
experts safely installed on the This Morning sofa and she won’t be the
last. The boardrooms of British Gas, Vodafone and Morrisons have all
recently played data-breach bingo and we all now accept it’s ‘when’ not
‘if’.

But retailers have been dealing with theft for a very long time. They call
it ‘shrinkage’ – when stock leaves a store by any non-legitimate route and
surprisingly, shoplifting comes a distant second to theft by staff. Since
retailers need staff they’ve had to concentrate on mitigation rather than
eradication.

The information security community would do well to take heed here. The
biggest tool most companies have against the insider threat – data theft by
staff – is a strongly worded statement. Even then, access to information is
so poor that management can’t deliver on any threats. Too much attention
still goes on preventing the external attack – the shoplifter.

So here are some lessons Data Security can learn from our retail cousins.

1. It’s opportunity not character
90 per cent of us would steal if we could get away with it; theft is about
opportunity not character and retailers understand this. In a recent
Loudhouse survey for Clearswift, 35 per cent of staff said they would sell
company data, some for as little as £100. So, remove temptation by applying
least privilege rigorously.

2. The biggest threat is internal
Retailers start with goods receiving because that’s usually the biggest
crime scene.  Shoplifting comes a distant second. It’s the same with
Technology, according toForrester, 36 per cent of all data breaches involve
employees directly, and the majority indirectly. A better firewall won’t
stop the growing insider threat. Strong controls over who has access to
what, will.

3. People steal in the absence of a capable guardian rather than for
economic gain.
40 per cent of retail theft in the UK was carried out by unsupervised staff
such as management and security guards. In this context, a “capable
guardian” means systems with the ability to understand what someone has
access to and whether they should have access to it, and the ability to
bring that to the attention of managers.

4. Keep a tidy shop.
If a shop window remains broken, people think that no-one cares. If you
don’t look like you care about who has access to your data, why should
anyone else care? But if you combine a strong culture with technology that
gives managers the information they need to manage the environment, you
send the strongest possible message.

5. Monitoring should be constant and part of a workflow
Relying on quarterly reviews to clean up access rights because you don’t
have the capability to manage risk during the mover and request processes,
is like only switching on the CCTV on bank holidays, rather than every time
you leave the store.

6. Communication is key
An element of all shrinkage prevention is communication. It makes the
programme visible and sets expectations. The presence of a CCTV camera in a
shop tells staff (and others) that someone is watching. An equivalent is
needed when guarding data.

7. Be proactive and start with the end in mind.
Retailers can’t afford to wait for shrinkage to become a problem. Loss
control requires serious, regular attention in both the physical and
electronic realm.

So concentrate on the internal threat, have a strong culture that values
data security and make sure the systems provision, and review access
supports that culture.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!