Retail cyber security spending ineffective as breaches rise

Cyber attacks on the retail sector are increasing, and although most retailers plan to increase cyber security spending, planned investments are unlikely to be effective, a report reveals.

Half of US retailers experienced a data breach in the past year, up from 19% the year before, according to the retail edition of the 2018 Thales data threat report.

This increase drove US retail to the second most breached sector in the US after the federal government, putting it ahead of healthcare and financial services.

The increased number of data breaches in the sector means that three-quarters of US retailers polled have experienced at least one data breach, up from 52% a year ago.

At the same time, the report reveals that while the US retail sector is more inclined than others to store sensitive data in the cloud as widespread digital transformation is underway, only 26% report implementing encryption to keep that data safe.

According to the report, 95% of US retail organisations will use sensitive data in an advanced technology environment such as cloud, big data, internet of things(IoT) and containers this year. More than half believe that sensitive data use is happening now, in these environments, without proper security in place.

Each of these technology environments comes with unique security challenges, the report said, adding that as the attack surface increases, unique data security challenges need to be addressed.

Garrett Bekker, principal analyst for information security at 451 Research, said the increases come as no surprise to retailers.

“While nearly 95% of retailers acknowledge vulnerability, now almost half recognise they are extremely vulnerable,” he said.

“This is an increase of 30% of respondents from the previous year. While this trend can be partially attributed to US retailers aggressively pursuing a multi-cloud strategy, these organisations continue, year after year, to spend on the same security solutions that previously worked.

“With increasingly porous networks and expanding use of external resources such as software, platforms and infrastructure as a service, traditional endpoint and network security are no longer sufficient.”

The increase in attacks against the retail sector, the report said, raises questions about the relatively low level of spending on data security.

In the US, the traditional concerns about data security related to perceived complexity and business performance impact are now outpaced by a perceived lack of need, according to 52% of respondents.

Globally, the report said a lack of organisational buy-in was tied to 41% not perceiving a need for data security. “The message here is that management needs a sense of urgency, and instilling that may require IT to do a better job of selling the importance of data security,” the report said.

While US retail organisations are responding to the ever-increasing threat, with 84% citing plans to increase IT security spending and 28% noting the increase would be significant, the report said planned spending is not going to what respondents believe are the most effective defences.

While the retail sector recognises the need for encryption to protect sensitive data, both US and global retail ranked endpoint and mobile defences as those that will get the largest spending increase in the coming year, even though they rank them the least effective.

Fortunately, more organisations are recognising the threat to cloud data, with 49% of respondents ranking cloud at the top of their IT security spending priorities.

Peter Galvin, chief strategy and marketing officer at Thales eSecurity, said this year’s significant increase in data breach rates should be a wake up call for all retail organisations.

“Digital transformation is well underway and the benefits of the cloud, big data, IoT and mobile payment technologies are compelling and fueling widespread adoption. However, with the flow of sensitive data through all of these disparate platforms and technologies, the attack surface increases exponentially and with it the risk of a data breach,” he said.

in computerweekly.com by Warwick Ashford

Email security: What marketers need to know

Email is one of the most valuable channels for marketers to communicate with consumers. Sixty-one percent of consumers prefer to receive offers from brands over email, and marketers have responded by optimizing and personalizing email content to deliver the best experiences possible, according to a survey by Adobe (my employer).

It sounds like a perfect relationship. But while email may be the best way for brands to reach consumers, it’s also one of the most common threat vectors for cybercriminals looking to steal sensitive information, such as passwords and credit card data.

In Symantec’s 2017 Internet Security Threat Report, the company found that one in 131 emails contained malware, which was the highest rate in five years. Phishing, cybercriminal, spamming and spoofing all represent serious challenges to email marketers and legitimate threats to their target audience.

While brands themselves can’t stop cybercriminals from attacking, they have an obligation to protect their brand identity and do their best to ensure security for their customers and subscribers. This requires an understanding of email authentication, the benefits of different authentication standards and why they are necessary for protection. Marketers need to be aware of these issues and understand email authentication and deliverability best practices.

Understanding email authentication standards

Three common email authentication standards are currently used in the industry, with some used in tandem.

• Sender Policy Framework is an IP-based authentication solution that allows an owner of a domain to specify which email servers/IPs are authorized to send messages based on that domain.
• DomainKeys Identified Mail (DKIM) is a cryptographic, signature-based form of authentication that allows a sender to take responsibility for the message in a way that can be validated by the receiver.
• And finally, there is Domain-based Message Authentication, Reporting and Conformance, commonly known as DMARC. It is the most recent authentication standard and is quickly being adopted by industries that are frequently targeted by cybercriminals due to their sensitive nature, such as financial services and health care.

The protocol gives domain owners visibility into who is abusing their domain and potentially damaging their brand. It also provides insight into email authentication status and control over how senders’ messages are handled when authentication fails.

While many brands may be perfectly safe using a combination of SPF and DKIM, it is clear that DMARC is the strongest, most secure form of authentication and offers the highest level of protection.

Best practices for marketers

While the risk of email threats is serious and potentially damaging, marketers need not fear. There are a number of guidelines to ensure authentication and deliverability which, combined, help minimize risk and protect consumers. Here are a few tips for marketers on how to ensure email security:

1. Develop an understanding of authentication, and consider which standards are the best fit for your needs. In many cases, DMARC should be considered for additional security, but a combination of SPF and DKIM can be sufficient. These decisions should be part of a companywide approach to security and involve key IT decision-makers.
2. Encourage two-way communication between the email marketing team and internal security experts to develop a deeper understanding of the threats their customers face and how they can play a role in protection.
3. Maintain a strong reputation with ISPs (Internet Service Providers) by controlling content and data and following technical recommendations. ISPs, mailbox providers and spam filters play a critical role in email security and are a valuable partner in the effort to protect consumers.
4. Monitor and track deliverability of your own emails. This is good practice for business reasons as well as security concerns.
5. Develop an emergency plan in case your subscribers become victim to a cybercriminal spoofing your brand. Don’t wait until it happens; get ahead of the situation to ensure brand reputation and sensitive data are protected.

By adopting appropriate email authentication standards and following deliverability best practices, marketers can help ensure the safety of their consumers and maintain a thriving email marketing practice.

by Alyssa Nahatis in martechtoday.com