Retail data breaches: How shopowners can learn from others’ mistakes
Last year there were 3,950 confirmed data breaches exposing an overwhelming 4.1 billion compromised records, says Varonis, a data security platform. As of early April this year, some 51 million people were hit by data breaches, up 564 percent for the first quarter, says Gearbrain.com. The biggest breaches thus far in 2021? Facebook, T-Mobile and Malaysia Airlines.
In the case of a retail hack, says a Business Insider article, 33 percent of consumers would stop shopping for an extended period at a retailer after a breach, and 19 percent would never return to that retailer.
What are the takeaways that you can share with your retailers to help them secure their online data to prevent retail data breaches?
Steps to protect retailers from data breaches
1. Don’t assume they can fly under the radar.
Remind clients not to assume that because they aren’t a major retailer or commercial entity that they can stay below a hacker’s radar. And it’s not only retailers who have major e-commerce sites that are hacked. Cyber criminals know that smaller retailers don’t often have the resources to thwart hacks.
2. Keep business and personal accounts separate.
Encourage your retailers to use separate passwords and accounts for business banking and personal banking. If someone hacks their personal email and password from a personal site, they won’t be able to access your client’s business or banking sites. Remind them to guard what they allow to be uploaded or attached to their computers, and always encrypt.
3. Educate them on retail data breaches and cyber theft.
A recurring theme in cyber protection and prevention is that data security is a task best left to the experts. After all, you don’t know what you don’t know. That’s why many smaller retailers have chosen to migrate all their data to the cloud. “A reputable cloud host is well aware that the security of its servers and its ability to protect the data entrusted to it is indispensable if it is to compete and survive. As a consequence, cloud servers will likely be some of the most secure places to store data into the future,” said an older Property Casualty 360 article on breaches.
Related: Are you vulnerable to an insurance data breach?
“Cybercriminals use all types of malware, including Trojans, Man-in-the-Middle, Man-in-the-Brose, and key loggers, to get what they want, including personal data and payment details,” says Due co-founder Chalmers Brown, as quoted in Upwork. “Continue updating your tools to detect malware that may be present. You may also need to invest your time in understanding how malware is used in terms of patterns used by cyber criminals. Focus on using malware detection solutions that can work in the background rather than relying on those options that involve user downloads or registrations.”
4. Involve your employees in preventing retail data breaches
Many data breaches happen by accident: An employee unwittingly opens the door. Retailers need to train employees regularly on how to encrypt data, generate strong passwords, properly file and store data and avoid malware. Limiting employee access to websites outside the scope of their daily duties will help minimize the possibility of allowing access to a hacker. An educated staff is another important line of defense.
Establish a written policy about privacy and data security and communicate it to all employees. Educate employees as to the types of information that are sensitive or confidential and what their responsibilities are to protect that data. Train employees to never leave laptops or tablets unattended. Implement password protection and ‘time-out’ functions (requires re-login after periods of inactivity) for all computers. Require employees to log off their computers at the end of the day.
Hackers have become particularly adept at phishing to gain access to otherwise secure networks. With a little social media skulking and email contact, they can obtain much of the information they need to access login credentials that grant broad access to business networks. Train employees on the methods cybercriminals use to find this information.
- Train them on basic preventative measures — how to recognize a phishing attempt or how to create and maintain a secure password.
- Enforce a password security protocol. Employees should change passwords regularly and be well-educated on the importance of password security. They should also be aware of methods criminals use to acquire login and password information. Finally, train them as to how to create a secure password that’s at least 12 characters long, nonsensical (i.e., a combination of letters, numbers and symbols that don’t spell out words) and totally unrelated to anything about that employee (i.e., not a dog’s or child’s name). Two-factor authentication is a great indicator that a company takes password security seriously.
- Establish procedures for granting and removing access to employees that guard against unauthorized access to the company network.
- Policies regarding use of employees’ own devices should be clear, comprehensive and carefully enforced.
- Any portable medium such as a USB flash drive or portable device such as a tablet or smartphone are more susceptible to loss or theft. These can easily be used to gain access to your client’s network. Because these are synced with a computer, users are vulnerable to malware anytime they sync. Only encrypted data should be downloaded to portable storage devices.
5. Protect employees
Don’t use Social Security numbers as employee ID or client account numbers. If this is your client’s current practice, encourage them to develop another ID system immediately. We also strongly suggest that they not collect or keep information not absolutely needed. Minimize the number of places personal private data is stored. Your retailer should know what they keep and where they keep it.
Related: 12 insurable risks to business growth
6. Outsource payment processing
According to one expert, the weakest link of vulnerability in the credit card payment system is the fact that merchants still handle actual card data in their systems. Quoted in Upwork, Dave Oder, CEO of Shift4 Corporation, a credit card processing payment gateway, says “Merchants need to properly combine point-to-point encryption and tokenization technologies whenever a card is swiped. This means that the business never handles actual card data, as the transaction is processed through the merchant environment. With only a secure token returned to the merchant along with the authorization, there is no more risk of storing vulnerable cardholder information because the onsite database only holds tokens that are meaningless and valueless to thieves.”
If this isn’t possible in the short term, then “avoid handling credit card data on your own and rely on reputable vendors – regardless if it’s for point-of-sale or web payments. These companies have a security team that can protect sensitive data far better than you can.”
7. Vet third-party vendors to eliminate a possible data breach
A few years back, both Target and Home Depot were hit with a cyber breach that started with malware found on compromised cash registers. The retailers’ networks were accessed through an unknowing third-party vendor. Cyber experts note that this is becoming a more common hacking practice, because these smaller vendors may not stay on top of data security.
Lesson learned: Vendors, like employees, should only be able to access what’s necessary for them to perform their work. Digital security protocols should be in place to compartmentalize data without giving free reign to any user, authorized or not. Never give temporary workers or vendors access to personal information on employees or customers. If sensitive data is being passed back and forth, encourage your client to make sure they and their vendor can properly encrypt it.
8. Stay up-to-date with software
- Adequate firewalls, anti-virus and anti-spam software should be in place and kept up to date.
- Secure all physical terminals. Even the best data protection is useless if someone can access your client’s system onsite or nab hardware that wasn’t properly decommissioned.
- Ensure that frequent patches from software vendors are applied as soon as they are made available.
- Periodically check security controls to ensure everything is functioning as expected. Monitor data leakage regularly and if any holes are detected, resolve them immediately.
9. Be personally diligent
- We all know not to use Password123 or the same password on multiple sites. Now turn that knowledge into habit.
- Store passwords on a secure app.
- Don’t allow your internet browser to remember your passwords. They may be stored in an unencrypted format on your hard drive, easy for hackers to locate and exploit.
- Review credit card statements monthly without fail.
- Download and scrutinize free credit statements from any of the credit bureaus on a regular basis.
- Shred any unwanted credit card or loan offers.
- Hover over any link in an email before you click it to see if the linking URL looks appropriate.
Shop owners are the first line of defense, so encourage them to remain diligent to ensure nothing suspicious escapes notice.
10. Create a breach response plan
Knowing what to do in the event of a breach will help your retail clients react that much faster, hopefully with the end result of limiting the damage done. Their plan should include steps to notify customers, vendors and staff, plus a list of resources they’ll need to contain the breach.
Resources:
How to Protect Your Business from Data Breaches
How to Protect Your Small Business From A Data Breach
Preventing a Data Breach
If you shopped at these 15 stores in the last year, your data might have been stolen
How To Protect Your Business From A Data Breach: Seven Key Steps
Retail data breaches: 3 lessons companies have learned
Originally posted on Arrowhead’s Tribal blog, this article has been updated and modified to better fit the needs of ACM’s insurers and insureds.