Guide to Navigating Retail Related Defense
The Rise of Cyber Attacks
Cyber related crime has greatly increased in the last several years as cyber bad actors – individuals, organized crime syndicates, and foreign states – target US businesses and government systems. The attacks have become increasingly sophisticated, as these individuals and groups are not only targeting credit card numbers, but corporate secrets, confidential company financials, and personal data.
Retail companies, and in particular, restaurant and hospitality brands are at greater risk for cyber-attacks since even a single retail location is likely to manage thousands of transactions a month. More than 20 US based hospitality companies have been compromised by cyber bad actors since the summer of 2016. Well-known brands such as Arby’s, Chipotle, Popeye’s, InterContinental Hotel Group, and Sabre Hospitality Solutions have not been immune to these attacks.
Often times these restaurant and hospitality companies are primary victims of hackers because they either lack or have limited IT departments, CISOs (Chief Information Security Officer), CPOs (Chief Privacy Officer), and capital expenditure budgets.
How Are Companies Targeted & Breached
Hackers use sophisticated techniques to target retail companies including malware, social engineering (phishing, disgruntled or bad employees), IoT devices, POS systems, and ever more so through third party relationships with suppliers and vendors.
Chipotle’s attackers used malware to compromise POS systems to gain access to track data storing credit card numbers and associated customer names, addresses, expiration numbers, and verification numbers
- Target and Google were compromised through IoT controllers used for HVAC systems
- A large oil company was targeted through employees that frequented a local Chinese restaurant by downloading the popular food menu
In 2016, up to two-thirds of security breaches of a target company came through third party suppliers.
“New business relationships and processes can create security gaps, alter access to sensitive data, or cause shifts in cyber risk liability exposures.”
James Cascone, Deloitte & Touche,
Advisory Partner and Global Restaurant Leader
However, POS intrusions continue to be the most used attack avenue, as stated by Verizon’s 2017 Data Breach Incidents Report, for the restaurant, hospitality, and retail industries. The criminal element wants to gain opportunity and financial reward. The time to detect a compromise can take up to 147 days with an additional 120 days to remediate the attack. “Breach timelines continue to paint a rather dismal picture—with time-to-compromise being only seconds, time-to-exfiltration taking days, and times to discovery and containment staying firmly in the month’s camp. Not surprisingly, fraud detection was the most prominent discovery method.”
What It Means for Companies
The cost of a breach is unequally borne by a retailer. POS companies, processors, banks and credit card networks can force retailers to investigate even a suspected breach, or the retailer risks losing the ability to process credit cards.
This means retailers suffer the following monetarily:
- Investigation, Remediation, Fines, & Penalties
- Forensic Investigation
- Security Remediation
- Legal Fees and Fines
- Government Fines
- Card Brand Compromise Fees
- Monitoring Fees
- Card Reissuing Fees
- Fraud Reimbursement Penalties (Chargebacks)
And the following brand damage through:
- Substitute notices issued through statewide media to alert customers of breach incident
- Class action lawsuits
Even a small incident can end up costing a SMB (Small-Medium Businesses, $5-50 million a year in revenue) $100,000 to $1.5 million in the event of a compromise. New case law holds now that executives are personally liable for not securing the data and privacy of others.
The Federal Trade Commission has successfully sued franchisors for data breaches of non-owned franchise locations.
Industry Specific Solutions from @RISK Technologies
The National Institute for Standards and Technology has recommended five essentials steps to protecting businesses: Identify, Protect, Detect, Respond, Recover. This framework is a guideline for single operator, multi-unit operators, franchisor, and franchisees to speak the same language.
@RISK Technologies has developed the Network Consensus™ platform to incorporate appropriate cyber security, risk, and privacy protocols between technology (POS, network systems, websites) and human actors (IT staff, executives, personnel, business processes) to reach a balance and effectively speak the same language across the board. The Network Consensus™ platform shapes and deters possible attack avenues and then automates defense systems by continuously monitoring and updating the risk profile of an organization. Not only does @RISK guard your system from outside intrusion, but creates a virtual CISO and CPO to govern compliance.
Network Consensus™ is defined as the ability to automate post breach digital forensic investigation tradecraft, tasks and human processes by applying algorithms in cognitively assembled models where, the analytic results are optimized through machine learning. The results are continuously trained using data that is stored in a cognitive library that catalogs People, Process, Technology, Data, Risk and Privacy rules until a specific Artificial Intelligence can mimic human behavior. This symphonic integration of human systems and subsystems using systems engineering and consensus theory transforms post incident response into pre-incident discovery. This pre-incident discovery enables organizations to plug the holes in their security operations before the ever-evolving advanced cyber threat has a chance to exploit them.
Restaurant, hospitality, and retail companies are actively seeking cloud based solutions because of the distributed architecture of their network systems. @RISK, a SaaS company, utilizes the IBM BlueMix Cloud to perform advanced analytics leveraging IBM Watson.
AT A GLANCE
Restaurants, Hospitality Groups, and Retailers are targeted because they lack infrastructure and key components to secure and neutralize threats
- Credit Card Numbers
- Trade Secrets
- Financial Records
- Personnel Files
- Cyber security is a process that involves limiting access, protecting data, staying up to date and training of staff
- @RISK is ideally suited in providing cyber security through its Network Consensus™ platform
- Through trained machine learning and cognitive computing, @RISK is able to prevent an attack “Left of Bang” or before an incident occurs
- SMBs can gain access to a virtual CISO/CPO as well as advanced Digital Minutemen ready to combat an attack for less than the cost of a qualified employee