The story about cybersecurity this summer was supposed to be all about how prepared retailers are for the point-of-sales transition to EMV-enabled credit cards, a step up from the magnetic-strip cards that are so vulnerable to hackers.
Then in July, first CVS, then Costco, Walmart Canada, Sams Club, Walgreens, Rite Aid and Tesco and other U.K. retailers, to name a few, all reported possible security breaches at their photo sites. The retailers’ photo operations had a common vendor, PNI Digital Media, which is owned by office-supplies retailer Staples.
The problem underscored a nerve-racking truth: When it comes to cybersecurity, a retailer is only as secure as its least secure vendor.
EMV is a limited solution
Savvy retailers and their IT departments already know this, but it may be worth repeating: the switch to EMV is an extremely limited solution to the reality of today’s cybersecurity risk.
For one thing, the move to EMV and its ability to stymie some number of hackers will likely result in thieves heading to where the metaphorical broken windows and doors ajar are found — online.
The United States is the last developed country to switch to EMV, and the experience of every place that has it is that online fraud has grown, experts say.
"Fraud doesn't go away, it just goes somewhere else, and that somewhere else is always online," cybersecurity expert Brian Krebs told Creditcards.com. "The thieves can still steal the card number and expiration date, which still can be used online. So that's generally what will happen. We'll see a pretty big uptick in card-not-present fraud.”
And it’s not just the hackers. Everyone — retailers included — are moving more and more online for a variety of tasks and activities. For retailers, it’s not just the very real matter of boosting their e-commerce and their mobile capabilities, but also increased use of connected devices, the cloud, and social media.
The one factor that makes the biggest difference
Retailers that are most advanced in terms of cybersecurity, and most cognizant of the impact of third and even fourth parties on their own security, are those that have moved responsibililty for the issue to the top, Stephen Boyer, co-founder and CTO of BitSight, told Retail Dive.
“You have to have high level executive involvement because that opens up the budget and the resources,” Boyer says. “It’s not going to have the impact if it rests with the IT group. They can’t do more with less. The security performance is really a byproduct the culture — they set the tone high up, and they set the budget, and that’s where we’re seeing the attitude change.”
The forgotten layer
A significant number of 40 banks surveyed by the New York State Department of Financial Services don’t make basic requirements of their third-party vendors to help assess the risk and prevent breaches. Yet, Boyer says, financial service institutions are among the best prepared to deal with this issue because they’ve been working on it since at least the Clinton Administration.
A third of those banks don’t require their third-party vendors to notify them of a breach, less than half do any on-site assessments of those vendors, some 20% don’t require documentation of the security steps they do take, and just a third say that any requirements they do make are extended to fourth-party vendors — or their vendors’ vendors, according to the NYDFS survey.
Yet those are the kinds of steps and requirements that are crucial for retailers to take if they’re going to keep their fingers in any holes in the cybersecurity dike.
“It only takes one gap, it only takes one hole,” Boyer says. “You can have a lot of locked doors but — one window’s open and you have a problem.”
Retailers and their security teams will likely need to get used to doing more checks on more vendors, establishing relationships with vendors that include regular communication about security, and, in some cases, that means site visits.
“You don’t want these to be adversarial relationships. But when you think about PNI Digital Media, they should have been examined by lots of those retailers, lots of those groups should have been looking in on them,” Boyer says. “That’s where we’ll see the trend, They’ll be more scrutinized, they will need more insurance. They should have lots of eyes on them.”