What Retailers Need to Do to Prevent the Next Breach
Like this Town Hall? Subscribe to our YouTube Channel.
Author:CSC Town Hall
In recent weeks, several major retail chains have announced security breaches - and we know at least 20 others are under some level of attack today. Both the U.S. Secret Service and the FBI have issued bulletins to all U.S. retail chains mandating certain security actions. Most retailers are struggling to figure out how to respond to this direction and how to project payment confidence to their consumers.
In this online Town Hall, you’ll learn from cybersecurity experts on how to identify whether you are currently under attack, how to make yourself less vulnerable to cyberattacks in the future and how to prepare for, respond to and survive an information-security related incident before, during and after a breach
- Tom Patterson, General Manager of CSC Cybersecurity Consulting and FBI Consultant
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Michael Gibbons, Managing Director, Alvarez & Marsal
- Jeff Caruso, Senior Managing Editor, CSC
What Retailers Need to Do to Prevent the Next Breach
In recent weeks several major retail chains have announced security breaches with more certainly under attack. Retailers are struggling to maintain consumer confidence and respond to new requirements for security. This CSC Town Hall discussed strategies for defending against cyber attacks and how to respond to security incidents.
It's important to realize that breaches occur on an ongoing basis, says Ted Julian, chief marketing officer at Co3 Systems. "We all gravitate toward substantial breaches that make headlines. The reality is most organizations have incidents of all kinds on a regular basis, whether that's a lost laptop with personal information or a box of paper records that goes missing," he says.
These types of attacks are hardly new, just new to retail, according to Tom Patterson, general manager of cybersecurity consulting for CSC. "These types of attacks have been aimed at CSC clients like defense companies and government agencies for the last five years," Patterson says. "There are many steps you can take to reduce your risk and to smooth your recovery if you suffer an attack."
Patterson compares incident response to sitting in an airplane exit row. "You want to know how to open that door in advance, not when the cabin is full of smoke. In an attack, you want to know how to respond and what to say. Those are all things that you want to do in advance."
Julian says companies must anticipate and practice for these kinds of events so that their response is like a “muscle memory.” Julian says a well-rehearsed response will help companies deal with breaches much more effectively.
Large-scale attacks don't happen overnight, Patterson says. They take a great deal of advance planning, and that should work to the retailers’ advantage.
"Advanced attacks may spend a year inside the network doing reconnaissance, mapping out your defenses, escalate their access, then figure out what they're going to steal and how they're going to do it," Patterson says. "That entire chain is detectable with new technology. You can see these things happening within your network, working to gain privileges or mapping your resources. When you let those tools loose, it takes just a few weeks to determine if you're under attack, and then what to do about it."
Michal Gibbons, managing director at Alvarez and Marsal, says the priority of network operations is beginning to shift. "Corporate networks have long been optimized to move large packets of data efficiently, even if that's large packets of customer data now on the way to Romania. Now the focus is on questioning what's in those packets and maintaining whitelists of authorized and expected access," he says.
Patterson says that many components go into an effective prevention plan, but the first component is people. "Figuring out the people involved, who's responsible for what, what that recovery map looks like and who you're going to call - those are elements that spell success or failure in an incident response,” Patterson says. “Having those people with a Pelican case in their trunk, who can hop on a flight and be at your location that day to help you, those aren't on staff at most companies. You need to figure out who you're going to hire, who will commit to being available when you need them, someone who is trained on your network so they understand your infrastructure and your business."
Julian agrees, and notes that the security industry is shifting to focus on how companies respond to incidents. "We've migrated from prevention to detection, and now response is the next wave. And frankly I think that's how CSOs of the future will be evaluated. It's impossible to prevent a breach. It's going to happen sooner or later. On the day that happens, you want to be focused on the fine tuning and execution of that plan. What you don't want to have happen is to botch the response. That's going to put you in deep trouble," he says.
Gibbons says he sees that shift happening as well. "We're seeing the focus shift from 'Tootsie Pop' security which had this nice crunchy exterior. Now we're focusing on the soft chewy center. The good news is, there are many steps retailers can take to significant reduce their risk and speed their recovery time."
Other topics discussed include:
• How the market values an effective response
• Lessons learned from defense that can benefit other industries
• Executive order 13636
• Tabletop exercises for incident planning
• How EMV will play out in the US
• What tokenization and end-to-end encryption offer
• Aligning internal incident response with service provider response
• The evolution of threat intelligence and assessment