[BreachExchange] Have retailers secured themselves against the Insider threat before you head to the checkout?

[Audrey McNeil]

http://www.scmagazineuk.com/have-retailers-secured-themselves-against-the-insider-threat-before-you-head-to-the-checkout/article/487755/

When discussing regulatory requirements in relation to cyber-security in
the retail industry, many automatically think of the Payment Card Industry
Data Security Standard (PCI DSS). However, with the impending EU General
Data Protection Directive (GDPR) set to come into force in 2018, many
retailers are now faced with the challenge of ensuring that they'll meet
the latest requirements in how they capture, store, transmit and process
all customer and staff data, not just payment card data.

What effect would the EU GDPR have on the retail industry?

For customers and staff, the EU GDPR has clear advantages; greater
transparency in how data is being used, the ability to access the data,
make changes or delete it and the right to know if their data has been
hacked or breached. Yet for merchants, retailers and their suppliers and
partners, greater onus is placed on them to protect the data.

If the potential damage to customer relationships and brand reputation
wasn't incentive enough to meet the new standards, any large organisation
who falls short could be hit with fines of up to four percent of global
turnover. This means corporations handling consumer data on a large scale,
such as retailers, could face fines running into billions if they are
deemed not to have done enough to prevent a leak.

But as organisations batten the hatches and build the fortress around the
sensitive customer data they hold, many are only considering the potential
risks of data been breached by external threats. But what if the real risk
to your customer data is actually those that are inside the fortress
already?

The Insider Threat

Simple human error remains the biggest cause of a data breach. While these
incidents are often the result of accidents such as emailing to the wrong
participant, many breaches come from a concerted effort to steal data and
make a profit or harm the company. Take last year's case of an internal
auditor from the supermarket chain Morrisons, who faced charges for
purposefully leaking the bank, salary and National Insurance data of
100,000 staff, leading to a class action lawsuit from those affected.

One of the most effective ways to mitigate the threat of insider theft is
by ensuring users only have as much access as they require for their job
function. The fewer people that can access the data, the lower the chance
of it being inappropriately used, as well as making it less likely to be
accidentally leaked.

Unfortunately, many organisations, including large corporations, still do
not follow best practice on user access. Windows Active Directory, the
native tool that governs how user access assignment, can be cumbersome to
use, especially when large numbers of staff are joining or moving at once
such as during projects or due to M&A activity. As a result, many system
administrators find proper due diligence in managing access management too
time-consuming and there is a dangerous trend to give all users admin
access by default. Surprisingly large companies still have little idea
about what information their staff can access, and rarely rescind access
once granted, even when someone has left the organisation.

Don't make assumptions

Insider leaks can be particularly difficult to guard against because the
perpetrator is usually legitimately cleared for access as part of their job
role. Senior employees are especially difficult to catch, as they may be
the ones trusted with oversight to start with.

A study from PwC this year revealed the trend for “silver fraudsters” –
older, senior staff members in trusted positions. The research found half
of the instances of company fraud were committed by staff aged over 40,
with the number carried out by staff over 50 shooting up from six percent
to 18 percent in two years.

To address this, firms should ensure they have systems in place to alert
them whenever key files or folders are accessed. More advanced access
rights management systems can send real time alerts specifically for when
information is accessed outside of usual parameters, preventing data from
being copied unobserved from remote locations or outside of office hours.

Poor access rights management leaves an organisation open to malicious
activity from an insider, with valuable information stolen for sale to
criminal gangs or rival organisations, or posted online as purely to harm
the company. While accidents are always possible, organisations need to
ensure they have safeguards in place to make it harder for mistakes to
happen, as well as training to raise awareness of the consequences of a
leak. Having an executive or department charged with data protection
provides a useful focal point, but the entire company must be aware of the
risks and their role as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160426/6ae1784c/attachment.html>