Tackling the insider threat in the retail industry
The retail sector in the UK is thriving. Three million people work in the industry in the UK, which adds up to around one in ten of the working population. There are almost 300,000 retail outlets in the UK, generating a massive £3.5 billion of retail sales, which amounts to 5% of total UK GDP.
Such a large economic powerhouse provides a very tempting target to cyber criminals looking for enterprises that they can hack into to steal money or, more likely, information on corporate or customer identities and bank payments details.
The weakest link
Along with many other industries, the retail sector has been taking increasing steps to harden its corporate security perimeter against the cyber threat, with the routine use of anti-virus software and firewalls. The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals have combined to produce a new point of attack, focussing on the weakest link in the corporate security chain, human beings rather than technology.
So-called “social engineering” relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques.
The retail sector is especially vulnerable to this trend with its army of potentially vulnerable employees and its large customer databases, both of which provide a very tempting target for the hackers. With such a large and diverse employment base, variety in working hours and practices, this can sometimes provide an easy target for the growing number of cyber hackers looking to get around corporate security perimeters through the use of social engineering.
Preventing the insider threat
The trade charity retailTRUST aims to improve the wellbeing of employees in the retail sector, providing advice and support to both them and their employers. They have recently begun to tackle these new threats to their employees and those they work to support in the sector, by implementing a leading edge behavioural threat monitoring solution to trace and track suspicious activity on their own IT networks.
Having reviewed current security measures, retailTRUST has seen benefit from both the organisation and employee perspective in implementing a behavioural threat monitoring solution to protect both the employee and the company from becoming victim of the cyber attacker.
A successful cyber attack will have negative consequences on the employee as well as the company, even if no fault is attributed. The business will suffer financially and could even go out of business, with the employee losing their job as a result.
If the employee has been merely negligent, then this might well have disciplinary consequences in accordance with their terms of employment. High level protection will help to prevent this negligence from happening or spot it quickly and minimise the consequences.
Monitoring solutions can trawl a network and provide hard evidence of both current and backdated suspicious or unauthorised activity. This comprehensive data trawl will catch the guilty, but will also provide grounds to clear someone who has been falsely accused without proper evidence.
Guide to Tackling the Insider Threat: advice
The British Retail Consortium has also taken steps to helps retailers counter the social engineering threat by publishing its Guide to Tackling the Insider Threat. This includes the following advice:
Understand all access points into the business’s IT system – A comprehensive risk assessment of the insider threat to your business should include an examination of all the access pathways to your systems: wired networks; wireless; Bluetooth; USB and other removable storage; software; VPNs and mobile devices. Access to databases pose particular risks in terms of data breaches.
Put in place extra controls on access to your business’s most sensitive data – Protect the most critical files or sensitive data from modification, deletion or download. Only members of staff who absolutely need access to these files should be given it. Most insiders steal intellectual property using authorised access, but in some instances the member of staff involved may have had a higher level of IT access than they actually required to do their job.
Strictly control the use of removable storage devices and downloads – Removable storage devices are an easy way in which a malicious insider can copy valuable or confidential data. Consider what removable devices are required by your business and specify how they can be used. Prevent sensitive data from being transferred to removable devices altogether and only allow data transfers to be carried out at particular workstations, by approved staff members.
Put in place activity monitoring systems and logs to identify suspicious activity – There is a huge range of software products available to allow automated monitoring of discrepancies in day-to-day IT activity. Such monitoring should allow you to track and create logs of activity such as staff access to databases, data usage, use of encrypted sessions, use of removable media, e-mail traffic and attempts to connect to VPNs.
Following this good advice, and making use of a good quality behavioural threat monitoring solution, can help all retailers to reduce their exposure to the growing tide of cyber crime and at the same time protect their employees against the impact of such security breaches.
Sonny Sehgal
Head of Cyber Security at Transputec
