Report from NRF: Protect the ‘Crown Jewels’

Jan. 15, 2015

Report from NRF: Protect the ‘Crown Jewels’ While retailers are mainly focused on selling their goods and services, a year of high-profile data breaches—many of them perpetrated through malware installed on retailers’ POS systems—has left them painfully aware of their growing vulnerability. A popular session this week at the National Retail Federation’s Big Show in New York City examined the current cyber threat landscape and offered some advice on how to protect the brands they have worked hard to establish.

Unlike the breaches of the distant past where the hackers had to be physically close to the data to retrieve it, malware and bots can now be purchased cheaply and launched from anywhere in the world. And, the tight-knit community of hackers even give each other support and share knowledge, said Paul Kleinschnitz, senior vice president and managing director of the cyber-security solutions team at First Data.

“It’s unfortunate that the criminal element is unbelievably good at collaboration,” Kleinschnitz said. “There’s schooling, there are forums, and there are black markets where you can buy good, recent malware for maybe $1,000. Cybercrime has now surpassed any other criminal activity, including the drug trade, in terms of profitability.”

It’s important for retailers to understand the threat is evolving ahead of the defense, according to Erin Nealy Cox, executive managing director of digital forensics company Stroz Friedberg. Leadership must be made to understand the scope of the risk, and become as comfortable discussing security risk as they are discussing financial risk. Mike Weatherford, principal of the Chertoff Group, agreed that hard choices need to be made.

“Don’t focus on perimeters,” said Weatherford. “What I would say to any executive is understand and hone in on what are your ‘crown jewels.’ Once you understand what that is, you have to consolidate that to as few places as possible and you have to devalue or de-risk that data [using encryption and tokenization]. Because the reality is, you’re not going to prevent a breach. But you can prevent hackers from stealing anything useful.”