By Gijo Mathew
Today’s retailers face many risks — from increasing competition and rising costs, to a continuing economic slump that’s making consumers reluctant to spend. However, topping the list of concerns for many retail organizations is the loss of customer credit card information, and the fraud that can result.
By Gijo Mathew
Few in the retail industry are likely to forget the theft two years ago
of more than 45 million credit card data numbers from the giant
discount retailer, TJX Cos (parent company of Winners). Numbers like
that attract the attention of the media, regulators, lawmakers and
lawyers, with the result that TJX and its subsidiaries have been
dealing with the monetary, legal and reputation impact ever since.
While much of the focus within the retail industry has been on
protecting customer information, organizations face risks around the
protection and control of all intellectual property, including
sensitive corporate information. In many cases these types of losses or
misuses go unreported, but have a lasting negative impact on the
How is data lost?
In many organizations, people don’t know where sensitive data resides,
what data is considered sensitive, or to which compliance and
regulatory requirements their organizations must adhere. Educating
users is essential for protecting and controlling information,
preventing data loss and curtailing fraud.
The good news is, technology now exists to educate users, and to
protect and control information in an effective and efficient manner.
Surprisingly, most data loss — 70 to 80 percent of insider loss —
results from simple human error: lost laptops and USB keys and
misdirected emails. That’s because most lost data is “spilled” out of
controlled applications like payment, ERP (Enterprise Resource
Planning), HR (Human Resources) and CRM (Customer Relationship
Management) systems onto unstructured and uncontrolled systems like
laptops, removable media, and email. Unfortunately, the collaboration
and productivity technologies upon which organizations increasingly
rely — such as email and USB keys — are also enablers of data loss.
How can we prevent data loss?
Most organizations don’t know what data they have. They need a better
way of finding sensitive data in their organization. Discovery and
understanding of what critical data is being retained in a retail
organization is the first step to data loss prevention (DLP). Some
Enterprise DLP solutions provide this functionality today but many vary
in ability to scale and accuracy. Identity-driven DLP tools can help
find and manage sensitive information throughout the organization.
Creating internal policies and education is the next step. The key is
to pair education together with technology in order to make users aware
of policy violations at the time of a potential incident. An effective
DLP solution needs to be able to provide a wide range of actions, not
just block or monitor. In most situations a deterrent action like a
warning is enough security to strike the balance between risk reduction
and business enablement. For example, warning a user as they click the
send button on an email that is sending out PCI information educates
the user and allows him or her to correct the potential violation. This
prevents users from inadvertently losing or misusing data, and educates
users at the exact time they need to know and understand security and
data use policies.
Finally, retail organizations can implement more effective controls on
their data by implementing tools that process more than content alone.
Concept, context and identity aware DLP solutions are needed to deeply
understand and act on sensitive data use in the organization.
Understanding when, where, how and by whom data is being used allows
retailers to create precise and specific polices. Without understanding
the context of an organization’s data use it is impossible to create
the appropriate policies or staffing to control the data, with minimal
cost and burden to the organization.
For example, an HR administrator in the organization might have
legitimate business reasons to send sensitive personal information, but
there would be no reason for an IT administrator to do the same. A deep
understanding of the content and context of data transactions will help
a business meet the organizational needs around managing information
loss, fraud or misuse.
To reduce the risk of fraud, retail organizations need to implement a
DLP solution that is identity based, modular and accurate. Without
this, retailers will be unable to effectively protect an ever-growing
set of business critical information, leaving themselves and their
customers vulnerable to fraud.
Gijo Mathew is vice-president of security management at CA Inc.