Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Retail Data Security: Preparing for the Top Threat for Holiday Breaches

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago.

And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult.

For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

Establishing Company Gift-Giving Guidelines

With increased regulatory oversight around the globe, companies’ external and internal gift-giving are under scrutiny. With the holiday season upon us, it is up to organizations, no matter what the size, to clearly state policies and leave no question about what is and what is not allowed. Establishing monetary limits for gifts given and received is also a good idea.

According to a report by Thomson Reuters:

While bribery and corruption charges are widespread, it’s important to note that bribery is not synonymous with gift-giving. When it comes to gift-giving, businesses cannot offer, promise or give anything of value, directly or indirectly, to a foreign official for the purpose of obtaining or retaining business. Corporate gifts need to be carefully evaluated to ensure they do not appear to violate these prohibitions.

Internal gifting policies vary from company to company, and while there is no one-size-fits-all approach, it is extremely important that organizations have policies in place and that employees are aware of what those policies are. No matter how well-intentioned a gift, the potential exists that it falls outside of the appropriate boundaries.

holiday-1

Organizations need to be clear about what types of gifts are acceptable and what are not.

holiday-2

Both employers and employees should also be aware of what constitutes a bribe and what types of bribes to watch out for.

holiday-3

Regulatory bodies are holding companies accountable, and depending on the countries involved, regulatory fines can range from prison terms to millions of dollars in fines.

holiday-4

holiday-5

Best Practices for Protecting Against Fraud

detecting fraud

In 1987, during arms control negotiations between the United States and the USSR, President Ronald Reagan popularized the phrase “trust but verify.” The maxim is pithy and oft-quoted, but for companies looking to mitigate risk and financial fraud, it should be reworded slightly to “Verify and monitor continuously.”

Fraud is often hard to detect—the Association of Certified Fraud Examiners (ACFE) estimates that the average fraud goes undetected for years. Some of the largest and most damaging frauds, including Bernie Madoff and Allen Stanford, spanned a decade or more. Fraud is also costly; it is estimated that U.S. businesses lose 7% of annual revenues to fraud, and it is responsible for one out of three business failures. The financial implications of fraud are bad enough, but reputational damage can be equally harmful.

Fraud is a potential danger for companies in all industries. In a survey my firm conducted in 2012, nearly 40% of private equity firms said they had experienced fraud. The statistics are sobering, but there is much that companies can do to protect themselves.

The biggest trend we are seeing is that corporate boards are implementing a tip line, which is a great way for employees and others to anonymously report wrongdoing. ACFE studies show 42% of frauds are uncovered through hotlines. You want employees to come forward and tell you what is wrong to give CEOs a chance to fix it. The average EEOC complaint costs between $50,000 and $100,000 in legal fees to settle, not to mention the potential damage to morale and reputation—wouldn’t you want a heads up to fix it before it gets to that?

Instituting rigorous hiring practices, including screening temps and contract workers, is another important tool in preventing fraud. It is not realistic to have the same level of scrutiny for an entry-level employee as you would for a senior executive, but the best way to avoid fraud is by carefully culling the bad apples before they are hired.

buy apixaban online medilaw.com/wp-content/uploads/2015/03/jpg/apixaban.html no prescription pharmacy

Look for criminal or regulatory issues, limited references, job-hopping, trouble making eye contact and a pattern of lawsuits. A number of our clients have begun to ask us to vet their information technology hires. The IT department has access to the most sensitive files and so it is imperative to investigate potential hires in that department.

Every firm should also have a code of conduct, which describes the culture of a company and what is expected of each employee in terms of actions and conduct. Each company is different, but some rules are universal: sexual harassment cannot be tolerated; discrimination against anyone based on color or religion is strictly forbidden; the workplace should be free of illicit drugs and alcohol; and employees cannot accept gifts from customers or vendors. Consequences for violating any of these codes should be clearly spelled out.

A system of basic financial checks and balances is another way to protect against fraud. Even in smaller firms, the same person should not be in charge of both accounts payable and accounts receivable. Larger payments from the company should be signed by two executives. Regular meetings should be arranged with IT officials to insure that cyber-crime is being monitored at all times.

buy avodart online medilaw.com/wp-content/uploads/2015/03/jpg/avodart.html no prescription pharmacy

Also, consider installing security cameras to serve as a deterrent for rogue employees.

buy cellcept online medilaw.com/wp-content/uploads/2015/03/jpg/cellcept.html no prescription pharmacy

In the wake of the Madoff scandal, the role of compliance officers has taken on greater importance. Compliance officers often have a seat at the C-level table and are valuable in helping companies to stay on the right side of regulations. As discussed, however, the best way to prevent fraud is by having several layers of protection.

Preventing fraud is an ongoing endeavor that requires a commitment to maintaining vigilance each day. Some red flags are easier to spot than others. Some of the most common “tells” of disgruntled or risky employees who may commit fraud include:

  • Living beyond their means
  • Financial difficulties
  • Too-close relationships with customers or vendors
  • Secretiveness
  • Drug or alcohol problems
  • Major stressors, like family problems, including divorce and bankruptcies

In the event that fraud is suspected, every company needs to have a playbook to help guide their actions. This should include having a process to address a tip or complaint, leveraging the expertise of investigators and attorneys and following a plan that keeps the company operating with minimum disruption.

The vast majority of companies prefer to keep things quiet and resolve matters in a private setting. No company wants to have one of its employees be the subject of a “perp walk,” where the alleged offender is shown by the media in handcuffs accompanied by police on their way to being charged.

The surge in cyber-crime is proof that fraud never truly disappears; it just changes shape and form. Therefore, it is up to each company to become a hardened target and make fraudsters want to look for an easier mark.

Charting the Rise of Ransomware

At the beginning of the year, Risk Management put ransomware at the top of the list when surveying the 2016 cyberrisk threat landscape, and these attacks have arguably come to the fore as cyberthreat of the year, whether you measure by buzz or by increase in incidents.

Indeed, ransomware is not just grabbing headlines—these cyberattacks have quadrupled in 2016, according to a recent Beazley Breach Response Services review of client data breaches. Authorities report a similar surge at large, with the Department of Justice estimating that more than 4,000 ransomware attacks have occurred daily since the beginning of the year, representing a 300% increase from 2015.

buy imuran online www.arborvita.com/wp-content/uploads/2023/10/jpg/imuran.html no prescription pharmacy

In July and August alone, 20% more of Beazley’s clients suffered a ransomware attack than in all of 2015. While the ransoms remain low, often in the range of $1,000, the firm points out that the true costs are dramatically higher due to the extensive review of company systems and data required to ensure the malware has been removed and data is clean.

Looking at specific industries, Beazley noted a significant uptick in attacks against financial institutions in the first three quarters of 2016, with hacking and malware accounting for 39% of breaches in the sector, up from 26% in 2015, and in higher education, these attacks increased from 38% last year to 46% in 2016. Hacking and malware account for a relatively steady proportion of just over half of breaches in the retail sector.

buy synthroid online www.arborvita.com/wp-content/uploads/2023/10/jpg/synthroid.html no prescription pharmacy

Among healthcare organizations, however, human error has spiked, with 40% of industry incidents caused by unintended disclosure compared to 28% last year.

“From what we are seeing, it appears that many hackers are finding it easier to make money by holding companies to ransom for bitcoin than through selling personal data on the dark web,” said Katherine Keefe, global head of BBR Services. “But, the persistently high levels of hacking and malware attacks of all kinds are a reminder that organizations across industries, and of all sizes, need actionable plans ready to implement when a breach occurs.

buy addyi online www.arborvita.com/wp-content/uploads/2023/10/jpg/addyi.html no prescription pharmacy

Check out the infographic below from security intelligence firm LogRhythm for more background on the rise in ransomware, how these attacks are impacting businesses, and how businesses are responding.

ransomware logrhythm
ransomware logrhythm