In 2011, US email marketing supplier Epsilon fell victim to one of the biggest digital security breaches in US history. At risk in the cyber attack: millions of pieces of customer data from companies including Hilton Hotels, Best Buy, Barclaycard US and Capital One.
The incident was not a one-off. Ever since companies began storing reams of digital data, hacking and security breaches have hit the headlines, rocking global brands from Google to retailer TJX. When a hacker broke into Sony’s PlayStation video game online network last April and stole the names, addresses and possibly even credit card details of 77 million people, Sony’s share price plummeted by 55 per cent.
“Attacks can happen to everyone,” says Neil Jarvis, Global Head of IT Security, IT Risk and Business Continuity at DHL Supply Chain. Businesses are starting to recognize this. In Ernst & Young’s 2011 Global Information Security Survey, 72 per cent of respondents reported seeing an increasing level of risk due to increased external threats. Yet despite this, 51 per cent said their information security function wasn’t meeting the needs of their organization.
In the past, information security was often viewed as the preserve of financial services companies holding sensitive data. But with the rise of store cards and online retailing, any consumer brand with a transactional function now holds more data on customers than ever before. In fact, retailers are some of the most at risk. “If you think about it, people are going through their stores swiping their credit cards all day long,” says Paul Bantick of insurance firm Beazley.
Add to that the fact that many e-tail sites store customer credit card details to create an easier shopping experience, and you can see why hackers see retail as a playground. In 2007, US retail giant TJX revealed that up to 45.7 million credit and debit card details had been stolen. Six people were charged in connection with using credit card numbers from the breach to buy more than US$8 million in goods.
While the TJX and Sony cyber thefts were the work of outsiders, some of the biggest threats to information security can come from within. A report by Verizon and the US Secret Service suggested that 48 per cent of security breaches originate from within an organisation.
“Insider jobs are always a big risk, and that’s never going to change,” says Jarvis. “But you can take steps to protect yourself.” A rigorous screening process including psychometric testing and reference checking can help keep out potential risks, as can disseminating information on a strictly ‘need to know’ basis, limiting the amount of people who have access to data. IT should work with HR to make sure that security settings are changed the day someone leaves a company, not weeks afterwards.
Strict data protection legislation already exists in the US, and the European Commission has recently announced a major reform of the EU legal framework on the protection of personal data – so not taking information security seriously is no longer an option. “You need to think about what the risk appetite of your organization is,” says Jarvis. “You need to balance risk and cost, and balance the impact of a breach against the cost of mitigating.” In September 2011, Sony created the post of chief information security officer, recruiting a former official at the U.S. Department of Homeland Security, Philip Reitinger. “Certainly the network issue was a catalyst for the appointment,” a Sony spokesman said at the time. Other companies are appointing a security officer to the executive ranks, or including responsibility for data security in a beefed-up, centralized risk function.
“Supply chain organizations still seem to think that they’re not targets,” says Jarvis. “But it doesn’t matter if you’re a ‘classic’ target or not – if you expose vulnerabilities, hackers will come and have a go at you. If you don’t, they won’t.”