When discussing regulatory requirements in relation to cyber-security in the retail industry, many automatically think of the Payment Card Industry Data Security Standard (PCI DSS). However, with the impending EU General Data Protection Directive (GDPR) set to come into force in 2018, many retailers are now faced with the challenge of ensuring that they'll meet the latest requirements in how they capture, store, transmit and process all customer and staff data, not just payment card data.
What effect would the EU GDPR have on the retail industry?
For customers and staff, the EU GDPR has clear advantages; greater transparency in how data is being used, the ability to access the data, make changes or delete it and the right to know if their data has been hacked or breached. Yet for merchants, retailers and their suppliers and partners, greater onus is placed on them to protect the data.
If the potential damage to customer relationships and brand reputation wasn't incentive enough to meet the new standards, any large organisation who falls short could be hit with fines of up to four percent of global turnover. This means corporations handling consumer data on a large scale, such as retailers, could face fines running into billions if they are deemed not to have done enough to prevent a leak.
But as organisations batten the hatches and build the fortress around the sensitive customer data they hold, many are only considering the potential risks of data been breached by external threats. But what if the real risk to your customer data is actually those that are inside the fortress already?
The Insider Threat
Simple human error remains the biggest cause of a data breach. While these incidents are often the result of accidents such as emailing to the wrong participant, many breaches come from a concerted effort to steal data and make a profit or harm the company. Take last year's case of an internal auditor from the supermarket chain Morrisons, who faced charges for purposefully leaking the bank, salary and National Insurance data of 100,000 staff, leading to a class action lawsuit from those affected.
One of the most effective ways to mitigate the threat of insider theft is by ensuring users only have as much access as they require for their job function. The fewer people that can access the data, the lower the chance of it being inappropriately used, as well as making it less likely to be accidentally leaked.
Unfortunately, many organisations, including large corporations, still do not follow best practice on user access. Windows Active Directory, the native tool that governs how user access assignment, can be cumbersome to use, especially when large numbers of staff are joining or moving at once such as during projects or due to M&A activity. As a result, many system administrators find proper due diligence in managing access management too time-consuming and there is a dangerous trend to give all users admin access by default. Surprisingly large companies still have little idea about what information their staff can access, and rarely rescind access once granted, even when someone has left the organisation.
Don't make assumptions
Insider leaks can be particularly difficult to guard against because the perpetrator is usually legitimately cleared for access as part of their job role. Senior employees are especially difficult to catch, as they may be the ones trusted with oversight to start with.
A study from PwC this year revealed the trend for “silver fraudsters” – older, senior staff members in trusted positions. The research found half of the instances of company fraud were committed by staff aged over 40, with the number carried out by staff over 50 shooting up from six percent to 18 percent in two years.
To address this, firms should ensure they have systems in place to alert them whenever key files or folders are accessed. More advanced access rights management systems can send real time alerts specifically for when information is accessed outside of usual parameters, preventing data from being copied unobserved from remote locations or outside of office hours.
Poor access rights management leaves an organisation open to malicious activity from an insider, with valuable information stolen for sale to criminal gangs or rival organisations, or posted online as purely to harm the company. While accidents are always possible, organisations need to ensure they have safeguards in place to make it harder for mistakes to happen, as well as training to raise awareness of the consequences of a leak. Having an executive or department charged with data protection provides a useful focal point, but the entire company must be aware of the risks and their role as well.
Contributed by Jens Puhle, UK managing director, 8MAN