Guest Column | January 29, 2014

7 Questions Retail Executives Need to Ask Their IT Department About Security

Kurt Groth Bager, CEO, Netop

By Kurt Groth Bager, CEO, Netop

As senior managers, we’re tasked with overseeing initiatives that drive innovation and growth, defining and setting the direction of the company, hiring the right people to execute the overall vision and being champions for the business’s products and services. Together, our actions and decisions are designed to influence product development, sales, operations, competitive positioning, company reputation, and, if publicly traded, stock performance.

If a particular business unit or function isn’t performing as expected, or their actions have an adverse effect on operations, ultimately, the responsibility falls on senior management. For example, if the marketing department releases an ad campaign that is in poor taste and draws unwanted criticism, blame ultimately lies with company executives - a staff member may be reprimanded too.

Now consider the recent security breaches at two major U.S. retailers. Leveraging loopholes, hackers were able to exploit vulnerabilities that resulted in tens of millions of compromised consumer credit and debit cards. These activities resulted in more negative press than Target or Neiman Marcus could ever want and the long-term impact is still uncertain. "Target violated a bond it built with the customers over many years," said Brian Sozzi of Belus Capital Advisors in an article that appeared on CNN Money. "It's going to take a while to gain that trust back."

In addition to disrupting customer trust, security breaches can also impact a company’s market value. According to Dr. Lawrence A. Gordon, Professor of Managerial Accounting and Information Assurance at the Robert H. Smith School of Business, “research shows that a large data breach can drive a 4 percent to 5 percent drop in market capitalization.”

When evaluating security strategies, retailers need to take into consideration the long-term repercussions that a breach could have on their business and customers. Given these incidents, and others throughout the years, this should come as no surprise. What may not be so clear is that responsibility should not fall entirely on the IT department. When it comes to security, senior management must be proactive in overseeing policies and procedures designed to protect company and customer data.

But with no formal technical background, where do you begin? How can you, as a retail executive, have a greater influence on IT security decisions made within your organization?

Asking your IT department these 7 questions will help you get a better understanding of whether or not your company’s security is sufficient.

What’s the status of your audit?

As a retail operation, your company must adhere to the rules and regulations outlined by the PCI Security Standards Council. Requirements encompass everything from restricting physical access to servers to encrypting data. You should know the last time the company was audited, if the audit was conducted internally or externally and if your company passed or failed. The answers you receive will likely lead to more questions which, given your role, you should hone in on.

Who has access to your company’s technology assets?

Aside from individual employees accessing their own laptops and desktops, generally this will include technical support staff and IT administrators. What’s important to determine is who has access to key company assets like servers or point-of-sale terminals, where sensitive customer data is stored. Knowing which employees are authorized to access equipment will provide a short list of people who may have answers should an incident occur.

What control mechanisms are in place?

When signing on to machines, particularly those that process customer transactions, you want to know that your company has defined user permission levels and that they are using multi-factor authentication. The IT department may feel multi-factor authentication slows their ability to resolve support issues but, according the Verizon’s 2013 Data Breach Investigations Report, up to 80% all attacks could be deterred simply by having stronger passwords. Your company should have policies in place that define password complexity, require passwords be updated on a regular basis and keep shared passwords to a minimum.

Is your data encrypted?

This ties into PCI requirements, but you want to understand if and how your data is encrypted when communications are exchanged between two machines and when they are accessed by someone in your IT department. The industry standard for high security encryption is 256 bit AES and, as a retailer, it’s best to have this level in place.

Can we audit session activity?

When the IT staff performs maintenance or the accounting department pulls reporting data from servers and POS devices, you want to confirm that their activities can be reviewed and audited. Today, tools like Netop Remote Control are equipped with built-in auditing capabilities that not only track session activities but can also provide video recordings that can be reviewed as needed. If something goes wrong, you want to know who accessed what machine and what actions took place. When auditing is in place, you can easily review logs and identify suspicious activities.

Do third parties access your equipment?

Between consultants, device manufactures and other service providers, most businesses today require assistance from outside vendors to help maintain equipment and ensure uptime. Even though only a small percentage of attacks are related to partners they should be treated like internal staff. You should know what policies and control mechanisms are in place to grant access, define permissions and monitor activity. It’s also wise to have a contract that specifically outlines certain indemnifications with each contractor.

Where are the loose ends?

Did you know that your company’s HVAC systems, security cameras and building access solutions likely all connect to the Internet? In this “Internet of Everything” world we live in, there are more devices connected to the Internet than ever before. Each connection can create a potential vulnerability where a hacker can gain access to more sensitive systems. As a retail executive, you want to make sure your security plans encompass every system or device that could expose your company. Approaches could range from preventing these devices from being found on the public Internet, to creating separate zones so that even if your HVAC system were hacked, a server containing retail transaction data would be unreachable.

While the recent news about Target and Neiman Marcus represent high profile security breaches – ones that have caused untold financial damages – the reality is that any security breach can be expensive. According to the 2013 Global Corporate IT Security Risks survey, the average cost incurred by large companies in the wake of a cyber-attack is $649,000.

As a senior manager, you have the responsibly to protect your business from these types of attacks. Fortunately, you don’t have to have a master’s degree in computer science to influence your company’s IT security. With a little insight, and by asking the right questions, you can help your company avoid embarrassing mistakes and financially damaging security breaches.

About The Author

A seasoned executive in the IT industry, Mr. Bager has served in leadership roles within several multinational corporations. Since 2008, Mr. Bager has been as CEO of Netop where he has been responsible for implementing new strategies and internal processes, introducing organizational changes and launching new products. Mr. Bager is an electrical engineer and also holds a Bachelor of Commerce degree in management studies, management and co-operation and public economics.