If opportunity makes a thief, then the internet and our increasing reliance on digital media deliver unprecedented opportunities to those with the skill and desire to break into other people’s systems.
Opportunity and means combine to create a frightening reality, as the architecture of the internet was designed to promulgate connectivity, not security.
According to a joint report by CSIS and McAfee, the estimated cost of cybercrime last year was $400 billion (equal to about 30% of Australia’s national product), and this figure continues to increase annually. A study by PricewaterhouseCoopers states that detected cyberattacks rose 48 per cent in 2014.
To respond to the threat, companies have added layers of security to keep it at bay. As the standard measures such as anti-virus software, spam filters and firewalls no longer suffice, new defensive strategies have been adopted. They include Tokenization, P2PE, cognitive mapping, biometric authentication and even going on the offensive (Active Defense).
Active Defensive, an emerging proactive approach to fighting cybercriminals, consists of three levels of engagement – annoy, attribute and attack. The latter enters murky ethical and legal waters, highlighting just how hard defending against attacks can be when you cannot even play by the same rules as your attackers.
This unfair fight costs companies dearly as well. Not taking into account losses, research firm Gartner predicts that businesses will spend almost $80 billion on cybersecurity this year and more than $100 billion by 2019.
Cybercrime evolves like a virus: perpetrators, supported by an increasingly collaborative and advanced underground community, always seem to find a way around – or through – the latest security methods. Sometimes the attacks come from within, when disgruntled current and former employees join the crowd of culprits.
Breaches, on average, last around eight months, but infiltrators can stay dormant for longer to patiently harvest information. Usually, when the breach becomes visible, the damage has already been done. Clearly, without robust proactive security measures the safety of data cannot be assured.
Retail too has been an attractive target for cybercriminals. In 2014 alone millions of records were stolen. One of the most prominent retailers hit by hackers was Target in the US, which revealed that online intruders had taken millions of digital records about its customers, including credit and debit card details. The impact on Target was devastating and it subsequently lost its chief executive Gregg Steinhafel.
Target was not alone. Luxury retail chain Neiman Marcus, craft store chain Michaels and other retailers were also discovered to have been the victims of similar attacks.
Retailers can no longer assume that their technology departments can deal with cyber security issues unaided. Of course, the techs have an important role to play but who actually defines what intellectual property and financial data is valuable to the business?
Security is something that has to be tackled by the entire organisation. It’s not just an information security issue, it has to become a standard risk management matter for the CEO and Board who need to focus on three basic areas when planning their cyber security approach:
Retailers need to be aware that the threat will only increase. Over the next few years we can expect to see billions of new devices, from cars, store security, store air conditioning and refrigeration systems, to household appliances and medical equipment, fitted with tiny computers connected to the web.
Known as The Internet of Things, it will make it possible to remotely control appliances using smartphone apps. This in turn will create new targets for advanced cyber criminals. To put it bluntly, the Internet of Things will become the Internet of New Things to be Hacked.
As an ominous sign of things to come, not long ago Fiat Chrysler was forced to issue a safety recall for 1.4 million vehicles in the US, after tech magazine Wired reported that hackers had taken control of a Jeep Cherokee via its internet-connected entertainment system. And if major companies like Target were outsmarted by cyber criminals, what hope do small to medium sized retailers have?
Some retailers have started to work together to tackle the problem. After the Target disaster, a group of retailers including Nike, JC Penney, Walgreens, Lowes, Gap and Target itself set up an Information Sharing and Analysis Centre to coordinate information about cyber threats.
Doing this however requires a completely different mindset, and bringing together rival companies presents unique challenges. They might be fearful that information shared could give away a competitive advantage. Some might hesitate to expose too many details about their security measures, for fear of revealing vulnerabilities. And finally, they might have concerns that information shared with others could be leaked.
Fortunately, one area exists where retailers and businesses in general can start to cooperate immediately without such complications and concerns: law and the policing of cyberspace.
Intense lobbying must be applied to extend the laws that already protect property and people against physical violations to digital violations.
Whether criminals break into your store to steal cash or they illegally access your bank account over the internet, the law should see no difference. If someone sabotages the lift system in a high rise building, the penalty should be the same irrespective of whether they did it on site or remotely.
The lobbying effort must also be aimed at the police force in all jurisdictions, so it puts far more resources into developing forensic capabilities to trace cyber offenders and bring them to justice.
Retailers can’t afford to ignore the current situation which keeps deteriorating. The industry derives a lot of benefit from the internet and other modern technologies but it also needs to invest strategically to help clean-up and secure the environment.
Adopting ever more powerful technical measures to handle the issue won’t be enough. Cybercrime has to be treated like a serious social, economic and criminal problem, which deserves nothing less than the full attention of the state.