There is no shortage of advice of ways to try and prevent a data breach. But if it happens to you, do you have a plan of precisely what to do next? Very few retailers do.
Before we delve into what you should do next—and the fact that you really need to get your teams together and figure it out now (think of it as Data Breach Disaster Recovery Plan)—let’s look at why this is such a difficult area. In the last couple of years, a veritable who’s who of major retailers have been breached, including TJX, Hannaford, 7-Eleven, Target, J.C. Penney, BJ’s Wholesale, Boston Market, Sports Authority, Dave & Buster’s, Office Max, Barnes & Noble, Forever 21 and DSW. And that’s merely a partial list of the ones we know about.
And in almost every one of those cases, the cyber thieves entered those networks, rummaged around, copies GBytes of payment data and related files, transferred that data to themselves and left—all without the retailers detecting any alarms. Invariably, it was the card brands—and sometimes the U.S. Secret Service—that detected the fraud days, weeks, months and sometimes years later and then circled back to give a heads up to the retailers involved.
That’s complicating factor Number One: You’re likely to learn of the breach long after it’s been halted by the thieves themselves. That tends to fuel the tendency to react slowly, as it doesn’t feel like an emergency. Trust me: It is.
Complicating factor Number Two: Data logs. As Wal-Mart learned a few years ago, those logs are the first things that professional cyber thieves will alter and manipulate once they break in. You simply can’t trust them if you know that cyber thieves have had hours of free reign within your network. That’s one of the reasons that real-time alerts (E-mail or otherwise)—stored in various locations far away from the enterprise servers (beyond the reach of the intruder)—are so attractive. Before the bad guy can cover his tracks, video of those tracks has already been sent to 40 different inboxes.
That said, today’s the day. You’ve just gotten the call from Visa that your systems are apparently the common point of purchase with a few million fraudulent transaction attempts. What are the first three things you need to do?
One: Identify The Nature Of The Breach
Although number two on this list is cutting off your networks from the intruder and others associated with the intruder, you can’t meaningfully do that until you at least reliably know the basics of the attack.
What if you choose to yank your system from the network—which is exactly what one breached Colorado liquor store did—and you later discover that the attacks were done physically on the card swipes and that network access limits wouldn’t stop them?
Or perhaps you choose to break off all external links, leaving intranet and VPN connections alive so operations can continue. And you later learn that it was an inside job done by two people in accounting and an IT programmer? Oops.
So as tempting as it is to make “cutting off the intruders” number one on this list, establishing the exact nature of the breach has to be Number One. (Actually, phoning a reporter for StorefrontBacktalk really should be Number One, so as to prevent this breach from impacting others. You’re a retail patriot, no?)
Two: Cutting Off The Bad Guys
You have learned of a major security hole. Even if you’re confident the perpetrators have been caught and made inactive, these thieves use discussions forums and share knowledge. You can wager generously that it’s known—at least in the cyber thief world—that you’ve been breached and how.
You’ve got to plug those holes before the next wave of silent attacks happen. Don’t forget that they are silent, leaving almost no easily discoverable tracks. They may be copying files as you sit in a meeting debating options.
But you actually have a sub-priority that should trump your key priority: Maintain operations and maintain them seamlessly. Whatever you do, it can’t meaningfully impact customers. You can’t simply stop accepting online coupons or processing CRM points if you used to.
There are an infinite number of ways of cutting off access to the bad guys, but they generally fall into two equally-viable categories: Go Back; and Move Forward.
The Go Back strategy suggests cutting off access as much as possible to cut your losses and halt damage. It has some severe drawbacks, both in terms of functionality and security (no encryption), but it’s also likely to avoid further breaches for a bit. After all, it’s hardly cost-effective to steal one card at a time by tapping phone lines.
The Move Forward approach is also known as the “Panicky IT Executive Throwing Money At The Problem.” To be fair, many of the “move forward” options will have to be seriously considered for Step Three, which is returning the network to the new normal. But it’s not an especially great idea at this stage because the immediacy required prevents the kind of due diligence this merits. Still, adding software to plug limited holes or to generally boost protection is something to consider at this phase.The Zero Liability programs from the major card brands do a wonderful job of limiting direct financial losses from your customers. But if, in an attempt to make your systems temporarily breach-proof, you start losing customer-facing functionality, you have the real potential of alienating—and losing—key customers. If that happens, candor—in the form of “Well, we’ve been breached and we think this Eastern European cyber thief gang has your credit card info”—is not likely to help you, unless you define “help” as stopping customers from walking away and instead getting them to run away.
Three: Activating The New Normal
Once you’ve figured out exactly what the attackers did—to your satisfaction at least—and prevented anyone from doing those particular techniques to you again, you need to return to the living and get your operation to move into the next security phase.
But given the RFPs that need to be created and circulated plus the competing bids and then the questions and trials and trail evaluations and then limited deployments, you could easily have to live a year or two with your “immediate” approach. Don’t rush the new normal as that will be your key safeguard for quite some time.
If the size of your chain means that you may have to live longer without the new normal, that would certainly suggest that the Move Forward approach in Number Two might be a good way to go for you.
Breaches are becoming a fact of life in retail IT today and there’s no way to prevent them. But with some prep right, you can at least make the post-breach nightmare a little less horrific.
Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.