Without question, 2008 was an eventful year for major financial institutions, with massive losses, questions of solvency and, ultimately, government bailouts now totaling over a trillion dollars. The corporate fire sales, downsizing and mergers now commonplace in the financial industry are a cause for not only serious concern about the health of our economy, but also concerns relating to the security of personal and financial data. With companies being sold and mergers taking place, and on such tight deadlines, mistakes regarding the confidentiality and privacy of the data are likely being made every day. Significant risk is increasing for personally identifiable information entrusted to these firms.
The retail industry is generally considered to be an indicator of economic trends, so it should come as no surprise that many similar issues are arising in this industry. Several announcements of store closings have been made and large retailers have recently entered into bankruptcy proceedings.
One thin silver lining of the slowdown in retail, at least for savvy shoppers, is the growth of inventory liquidations and sales everywhere with unbelievably low prices. The low prices and sales appeal to consumers' ears (and wallets) until one starts to think about paying for this merchandise, which is, of course, almost entirely through credit cards.
What happens to the credit card data after the purchase from a store that is going out of business? Is that part of the sale as well? The thought of financial information leaving a Point of Sale (POS) system, which is known to be one of the weakest links in the payment operations world, ending up with someone who purchased this POS system is disturbing. (See also Security at the Point of Sale.) In addition, news reports everywhere claim online sales were on the rise in stores that were going out of business. Therefore, the risk to personal data and credit card numbers may be at an all time high. Is your information up for sale?
Will Retailers Keep Security in Mind--Even When Going out of Business?
The New York Times recently had a headline, As Economy Dips, Arrests for Shoplifting Soar. With shoplifting on the rise, it should come as no surprise that we're also seeing an increase in cyber-theft as well. The responsibility of safeguarding the customer's financial information is still the responsibility of the closing store or the ailing financial institution. But who is really accountable and are there any regulations?
Based on previous reports of incidents, it is quite clear that financial and retail companies have been haunted by highly publicized security incidents and data breaches. It is time to think about and act upon increasing risks that will continue to occur as businesses are closed or scaled down.
There has always been prevalence of certain information security exposure points which may now increase in trying economic times. Below are some of the steps that can help mitigate some of the risks posed by the common information security exposures.
A very good first step to combat any security threat is a risk assessment, which ensures that all the security risks are identified when the company is on the path to closing down entirely or shutting down stores or specific operations. Risk assessment is the ideal way to start but for a failing business, this leads to additional cost when funds are scarce and is difficult to gain management support amongst all the other distractions surrounding times of tough changes.
Another important step in helping safeguard information is effective asset management. Stores that are going out of business are selling practically everything in their store--their entire asset inventory--including the kitchen sink. All the servers, desktops, financial reporting systems would most likely be on the market as well; a nightmare for data protection and privacy. Will these employees who currently work for the business that is soon closing down take the measures to ensure data security? Does the business have a plan to direct the employees on how to ensure data security? Are these businesses dealing with regulations addressing privacy, data security, and confidentiality even when they are shutting down?
When a business is closing down, there are unexpected layoffs across different levels, raising the specter of one of the most challenging risks to data, insider threats. Potentially disgruntled employees can cause significant damage to the company by stealing data, such as financial information and corporate information. Insider threat historically has risen to its highest level during times of deep economic crisis. A perfect storm of conditions for insider abuse may be unfolding.
Another potential exposure point is social engineering. Historically speaking, we have seen people resort to unethical ways during dismal economic times. Even if the employee remains loyal to the company that is going out of business, they could be naïve enough to become part of a social engineering attack that somebody from the outside is executing. It could be as simple as opening up a phishing email that offers incentives or jobs--very appealing to someone losing a job. So here we could have a loyal but concerned employee that puts the company at risk.
One common challenge with information security for retailers is the multiple critical components that makeup a retail operation. The IT infrastructure of a retail chain may involve several smaller components such as domain names, internal and external web sites, and wireless networks. These are some of the last things that will have to be shutdown after a business has ceased operations. These parts of the infrastructure need to be addressed in a security conscious manner to ensure that confidential data is not left unsecured. Not addressing these "missing pieces" make it highly likely that they will come back to haunt your business in the future.
First and foremost, recognize that there is an increased risk of identity theft with the economic downturn. The emotions surrounding the personal losses in an economic downturn can negatively impact the security-conscientiousness of consumers. Consumers are being scammed in an ever-increasing variety of ways. For example, people are receiving phishing e-mails asking them to provide their bank account information so as to avoid having their bank account closed in a merger. They provide their bank information and their account balance is plundered. Be aware of what you are doing in the cyber world. Ensure that you monitor your credit reports so that you can detect any fraudulent activities. Use the shredder to dispose of any mail that contains sensitive information.
Good Information Security Practices Do Not (or at least Should Not) Change
The last thing you want as a business trying to survive the economic crunch is a security incident. To ensure you are prepared, we provide below some best practices that can be lifesavers during these tough economic times, especially for companies that are weary of capital expenditures to address security risks. Here are six tips to make those smart security investments:
1. Focus on Information Security: As the economy has fundamentally undergone a meltdown, it is important to focus on securing information and assets as an organization while maintaining a secure infrastructure that can enable the business.
2. Adopt a Risk-Based Security Program: Incorporate a risk-based approach to security, especially during times when you have to make spending decisions on security. It is always better to take a proactive approach to security than a reactive one and only through a strong risk management program can these decisions be effectively made.
3. Focus on Security Awareness: Security tends to stay within IT in most organizations. Take steps to propagate your organization's security strategy beyond your IT department. No better investment can be made to protect against insider threats and targeted attacks against employees which rise during times of economic downturns. Ensure that the policies and procedures that you have as part of the information security program still are being followed and working. (See also How to Build an Effective Awareness Program.)
4. Think About Intellectual Property (IP) Protection: The purpose of IP is to protect investment in the branding, design, technology and creative works that give one supplier and edge over his or her competitors. Your IP is your business, protect it as such.
5. Think of Security as a Business Enabler: Process re-engineering and optimization projects can find efficiencies in IS processes that can be turned into cost savings. Consider outsourcing non-core competencies to a Managed Security Services Provider and focus internal resources on tactical and strategic activities rather than managing technology.
6. Conduct Compliance Assessments Regularly: Perform health checks on your security posture and ensure that you don't go down the road of becoming non-compliant with regulations as the economy hits a rough time. Understand the ultimate goal of being compliant is to be secure and not just on paper. For every compliance dollar spent, a corresponding measure of risk should be reduced or your compliance dollars are not being effectively spent, and may even be wasted. Risk reduction should drive compliance, not the other way around.
Hard times have fallen across many industries, and the early returns on 2009 give no indication of an imminent or immediate turnaround. Hopefully, these experiences and insights, gained through assisting customers with information security risks through difficult economic times, will help you maintain your security posture. If you are a company that is highly affected by the current economic conditions, keep a careful eye on your data. Securing your sensitive, business critical information becomes a key to survival in these tough times.
And here's hoping additional help comes in the form of regulators and industry standards organizations providing greater guidance in the form of standards, guidelines, and frameworks that take into perspective the risks to information security with reference to a closing business.
Todd Waskelis is Vice President, Global Security Consulting and Bindu Sundaresan is Security Consulting Manger, Global Security Consulting at VeriSign.