Quantifying Cyber Risk in Retail
Quantifying Cyber Risk in Retail
In retail, protecting customer data is more than a regulatory requirement: It is good business. Research shows that customers are willing to spend more money, and experience greater satisfaction, with retailers they believe do a good job of protecting their personal information. Additionally, with the rise of online shopping, retailers have more to lose from a disruption of those systems – loss of customers because the brand of the company could be tarnished is at risk.
But retailers have complex environments that include facilities, supply chains, payment systems, and a lot of mobile device connectivity. This makes it difficult to prioritize their security efforts. One way to do that is to quantify their data risk and give highest priority to protecting data that poses the greatest risk to the business.
The first steps in this process involve identifying cyber risks that pose the greatest danger to the business. This could include risks to systems and data. So what are the assets in retail that require the greatest protection? Most experts agree that these are the digital assets that go to the heart of retailing, things that if disrupted would impact customers, products, and transactions. Phillip Miller, chief information security officer (CISO) at Brooks Brothers, stresses the importance of basic operational data. “Underpinning all security decisions is the need to protect data from exfiltration while providing maximum flexibility for the use of that information to further the commercial goals of the retailer.”
Others in the industry, also emphasize risks associated with platforms that support a broad range of retail operations. Mazin Finjan, senior manager of security operations at Finish Line, says, “Most retailers think of cyber risk as anything impacting supply-chain security and product or marketing innovation.”
Aladdin Dandis, information security manager at Souq.com, views risk from an online-retailing perspective. He points to risks of compromised order-management systems that control pricing, cancellation, payment, returns, and refunds. However, at the top of his list is customer data. “Customer data is the highest risk through leaks, compromised accounts, spoofing, and other misuse,” he says. “This is high risk when compromised accounts use the same credentials in social media and other retail websites.”
Javier Garcia-Romanillos, information security officer at Carrefour Spain, agrees that customer data presents the greatest risk to the business, but for different reasons. “The greatest risks are customer data and availability of online selling platforms,” he says. “The risk around customer data is now enhanced by the use of big data. Retail has significant information about customers, from interests to habits and economic situation. Any data loss or leakage is a significant risk. Online presence is also quite important. The online platform needs to be available 24/7. If it is not, customers will go elsewhere.”
It’s also important to classify assets with risk in mind. “Data classification provides guard rails for what level of security must be in place,” Miller explains. “Sensitive data, customer information, and datasets with contractual or regulatory needs for protection will have the strictest governance. Increasingly it is possible to apply high standards, encryption, data-loss prevention and zero-trust principles to more data types as the costs for doing so fall.”
Garcia-Romanillos points out that data classification is not always so easy. “In retail there is still a lot of work and awareness needed around the data and its importance,” he says. “Even the ownership is sometimes questioned across the organization because depending on the moment, the information may be owned by one department and afterwards transferred to another department. That said, some information is easily classified, but some is quite difficult to assign a risk level. That is why the role of data officer is so important.”
Finjan notes that risk classification has business implications. “Accepting risk and the risk model is a business decision and therefore you have to explain what the risk landscape is and how much risk your decision-makers are willing to accept.”
Retailers use a number of approaches to quantifying risk. As Finjan explains, many consider potential lost revenue. “Depending on the business model, most retailers look at data risk in terms of revenue loss,” he says. “Whatever impact it will have on revenue is added to a list of short-term or long-term mitigation strategies.” Garcia-Romanillos says that a standard framework can be helpful in quantifying risk. “Quantifying cyber risk is difficult and requires some time and effort across all the organization. The best method is to perform risk analyses by processes using best practices and methodologies such as ISO 27000.” Aladdin Dandis, considers a number of factors. “We do internal analytics to assess the exposure, and we look at other factors including fraud detection, threat intelligence, and other data.” Establishing a risk framework that incorporates all of these components is critical and then leveraging tools that support a risk scoring model allows security teams to communicate with retail business executives in terms they can understand.
Miller points out that there are a number of use and regulatory considerations that go into quantifying risk. “In addition to regulatory and compliance-driven classification, we will examine levels of access needed [public, private, department, or individual] and also consider retention needs. For instance, data that sits at rest for a long time is more likely to become unprotected as improved security controls are harder to apply retroactively. Similarly departments with high turnover, or data with access by many external parties, have elevated risk profiles and require more frequent validation. Finally, databases with direct connection from a user or administrator require the use of managing and tracking privileged access techniques to mitigate the risk of hijacked credentials.”
Wolf Halton, principal security engineer at US Bank, says that quantifying risk depends on a risk assessment that must address six fundamental questions: Who? What? Why? When? Where? How? More specifically:
- Whose data or possessions are exposed: company, customer, vendor, prospects? Is there a personal safety dimension to this risk?
- What data is exposed: personal-identifiable information (PII), credit card information, company confidential? What physical objects are targeted?
- Why is the data or physical object at risk?
- When is the data or objects at risk? Is there a time frame when the data is more at risk?
- Where in the customer/transaction lifecycle does the risk appear? Are there physical locative factors to the risk?
- How does an unauthorized access take place? Is there a place in the processes or procedures where the data is most at risk?
Every retail organization will need to assess and score its cyber risk in the context of its own business model. Nevertheless, quantifying cyber risk is an essential step in prioritizing remediation efforts in a way that provides maximum business benefit.
- “Depending on the business model, most retailers look at data risk in terms of revenue loss.”
- “You have to explain what the risk landscape is and how much risk your decision-makers are willing to accept.”
- Data classification provides guard rails for what level of security must be in place. Sensitive data, customer information, and datasets with contractual or regulatory needs for protection will have the strictest governance.
- Quantifying cyber risk is difficult and requires some time and effort across all the organization. The best method is to perform risk analyses by processes using best practices and methodologies such as ISO 27000.