In September 2014, another US retailer Home Depot admitted that account information of 56 million cardholders were compromised by a security breach.
Credit card account breaches at Target and Home Depot are among the biggest such incidents and have had had far-reaching consequences. In Target’s case, it led to the exits of both Chief Executive Officer Gregg Steinhafel and Chief Information Officer Beth M Jacob.
HOW TARGET AND HOME DEPOT WERE INFILTRATED
Cyber security experts say there are important lessons for others in studying how attackers infiltrated both the retailers.
• At Target, attackers entered its network through a refrigeration and air conditioning supplier who should have been ideally far away from customer financial data.
• At Home Depot, hackers infiltrated its cash register systems at its US and Canadian stores in April 2014.
This is one reason why security experts advise that storeowners should always assume that hackers are already inside the company’s network. Their focus should thus be on protecting the company’s ‘crown jewels’. So even if attackers scale the company’s walls, there should be many more layers for them to overcome before they can reach the core databases.
Cyber experts says that once companies adopt the stance that hackers are already inside, then they would start investing in making their organisation as difficult a target as possible to hack. They should do so by adding strong encryption and layers and layers of vaults to company data.
BEST PRACTICES FOR INDIAN ECOMM FIRMS
Ecommerce is all the rage in India now. As revenues zoom, companies have the responsibility to keep their databases and gear secure, and keep cyber criminals at bay. Here are some best practices they can adopt to keep themselves as well as customers out of harm’s way.
• Monitor fraud loss regularly. Set a limit to the fraud you can tolerate. Conduct a review meeting of the respective business group when the fraud nears 90% of the target set.
• Set up a dedicated email ID so that customers can report any fraudulent activity they have noticed.
• A fraud helpline for customers and employees to report suspicious activity is also helpful.
• Conduct vulnerability scans at least once every quarter using vendors approved by the payment cards industry.
• Companies should coach employees in adopting best practices for password creation and maintenance.
• Hackers will try to access company networks through remote access log-ins. So security on such log-ins should be improved.
• Single-factor authentication should be phased out at all access points in the company and replaced with twin-factor authentication.
• Hackers would try to hack into the credentials of people with the highest level of access, namely members of the top leadership. So they should be doubly protected.
• Buy threat intelligence from cyber security companies; also share human intelligence with peers in the industry.
• A flipside of encrypting more and more data is that it slows down computer systems in the company. As a result, there is resistance to increased encryption, especially from ecommerce firms that want to respond quickly to customer queries. Investing in upgrading technology should provide a way out of this.
REHEARSE YOUR RESPONSES
What happens after a breach is equally important in managing losses as what companies do to prevent breaches in the first place. Public statements intended for customers, employees, regulators and the press should be prepared in advance. Ditto for website messages and provision for alternate payment methods.
Another essential step is to train employees to ignore spam as well as attempted phishing attacks. The cyber security industry has identified telltale signs that are the hallmark of phishing messages. They are likely to feature:
• Generic names to address individuals. Instead of using the intended victim’s name, a phisher will begin communication with a generic ‘Dear Customer’ or something similar.
• The logo may not quite match.
• For some reason, the communication will feature language riddled with grammatical errors.
• They will invariably ask victims to verify their passwords at a masked web address. That should be a dead giveaway.
In short, as far as cyber security is concerned, it pays to be ever vigilant and adopt best practices and train employees across the country.