As if you didn’t have anything else to worry about, a new report by Horizon says retailers are No. 1 victim (or cause) of data breaches nationwide.

http://www.verizonbusiness.com/resources/security/databreachsuppwp.pdf

From 2004 to 2007, the retail industry has accounted for 35 percent of all data breaches. That’s pretty striking if you think about it. Restaurants and grocery stores (20 percent) were the only type of businesses that came close. Financial service companies were a distant third at 14 percent.

But there is a silver lining in these statistics. And it’s a pretty thick lining. Unlike banks, the attacks on retailers are far less sophisticated. That means these breaches are easier to prevent!

Often, vulnerable point-of-sale (POS) systems are the target. In fact, 68 percent of retail attacks involved hackers taking advantage of open virtual private network connections or weak wireless security. Sometimes it’s as simple as leaving remote access connections open when they’re not being used.

Just think how many of these incidences could have been prevented with just a few simple security precautions.

Attacks that may be a bit harder to prevent are those that are either caused by or perpetrated by your partners. Thirty-six percent of retail breaches were the result of these third-party vendors.  The retail and food industries in particular are more susceptible to vendor-caused breaches, because vendors often provide outsourced POS services.

“We also see more and more where these third parties are specifically misusing that level of access granted to them,” said Bryan Sartin, director of investigative response for Verizon Business security solutions, who was quoted in CNET News.

 http://news.cnet.com/8301-1009_3-10056490-83.html

CNET says Verizon investigators often find that restaurant chains report similar problems concerning potential data breaches. "You'll see that they have the same fraud patterns and the same (illegitimate purchases), all within the same time frame,” Sartin says. “So it's compelling circumstantial evidence that it's the same perpetrator doing the same things we've seen elsewhere. And we can get good insight into how they did it. It always suggests that it was a vendor."

So how can you limit this third-party misuse? Well, first of all, you need to have a secure network and make sure you are PCI compliant. This includes having all custom-written programs reviewed by an organization that specializes in application security. It also means making sure all cardholder data is encrypted.

http://www.pcicomplianceguide.org/

Then, if you haven’t already, make sure you fully understand how your vendors handle and store your customer data. You also need to find out if your third-party vendors are PCI compliant, since they will likely have access to at least some sensitive information. ANYONE who handles cardholder data must be in compliance.

Prevention is often a simple task. It can also be extremely confusing. If you’re even slightly unsure about your PCI compliance or the health of your security protocols, I encourage you to drop me a line anytime.

'Til next time,
Joan
The eSecurity Diva