A Band of Others

Major retailers continue to experience security breaches, making headlines and putting millions of customers’ information at risk. Colin Anderson, CISO at Levi Strauss, argues that companies must come together to fight a common enemy.

Retail is a highly competitive industry with players large and small jousting over the consumer dollar. Retailers guard key details about their business processes and supporting IT systems closely to prevent competitors from gaining any advantages. One issue, however, has sparked a vigorous collaborative effort among
rivals: data security.

In May 2014, the Retail Industry Leaders Association (RILA) launched the Retail Cyber Intelligence Sharing Center (RCISC), an organization composed of several large retail stalwarts—household names including the Gap, Walgreens, Target, and Safeway. The goal is for members to share information to strengthen defenses against common enemies—black hat hackers and organized crime syndicates. Colin Anderson, formerly CISO for the supermarket giant Safeway and now CISO at Levi Strauss & Co., is an RCISC founding board member.

An attack can originate from groups of organized criminals from many parts of the globe bent on stealing credit card information, social security numbers, or other personal customer data. The list of victimized companies includes the likes of Target, Home Depot, and Nieman Marcus, who have had widely publicized data breaches. Competitors have no reason to cheer when these incidents make headlines, however, as they all know they could be next.

“If you have poor processes,  the technology isn’t going to save you from yourself.”

New groups of cyber criminals pop up constantly. For many retailers, attempts to breach data defense measures are daily occurrences. In the retail realm, point-of-sale malware and shipping fraud schemes have been the most common methods of attack in recent years. “These incidents give the whole retail industry a black eye,” Anderson says. Each publicized incident of data theft erodes consumers’ trust in the entire industry,
he says. So, it’s in everyone’s best interest to team up to curtail the threats.

As any CISO will tell you, the challenge is too great for any organization to handle effectively on its own, particularly in the low profit margin, cost-conscious industry of retail. Nobody can afford to hire an army of security experts to snuff out every threat. “There is strength in numbers,” Anderson says. “Collectively as a retail community we are better positioned to defend our respective enterprises from this growing threat to our businesses.”

RCISC is set up to be a potent weapon in the battle against cyber crime. Members alert each other to the latest instances of cyber attacks through the RCISC listserv. CISOs can create alerts that include details about the methods and means of attacks, their area of origin, how to detect and block intrusion attempts, and any other tidbits of information that can help bolster defenses.

Many, though not all, attacks on retailers are industry-specific, Anderson notes, so teaming up with others in the industry yields the most useful data. “This is timely, actionable information,” Anderson says. And, importantly, with these e-mail missives containing sensitive information, members can maintain their anonymity if they choose. The US Department of Homeland Security, US Secret Service, and the FBI are prominent public sector members who add their expertise and relevant news on cybercrime.

The listserv has already paid big dividends. “Retailers have been notified of reshipper fraud schemes that prevented over $1 million in losses,” Anderson says. The scam involves criminals having an unsuspecting individual, often called a “mule,” to have product shipped to them that was purchased with a stolen credit card. The mule then reships the product to another address, where the criminal receives the product and turns it into cash. This is done hundreds of times. As a result, the retailer can incur major losses. The RCISC listserv enabled sharing of these bad reshipper addresses. One retailer was able to stop $1 million in fraudulent open orders.

Over the long term, RCISC will pay off in other ways, Anderson says, including as a vehicle to share best practices and help member organizations figure out how to better train their employees on good IT security practices. With IT security talent in short supply, RCISC may also partner in future years with educational institutions to increase the supply chain of these workers.

But this isn’t the first attempt to cobble together an organization to aid cybersecurity in the retail industry. “In the past, we tried to pull groups together like this regionally,” Anderson says. “The challenge was that it was hard to dedicate enough time for them to get off the ground.” With support from member companies, seed funding from a few large retailers, and major retail associations like RILA and the National Retail Federation bringing a nationwide focus, the latest effort seems to have staying power. Seed funding is being used to get the nonprofit association off the ground, provide information-sharing services, and build out the needed infrastructure to lay a foundation to support RCISC growth. Already with a measurable payback as proof of effectiveness, it’s likely that the effort will continue to receive financial support and gain more members.

For retail CISOs, RCISC is a sorely needed tool, but even with this new asset, retail industry IT professionals face formidable challenges. Starting with the budget, CISOs have to make a strong business case for any new initiatives. Recent data breaches, having reached public relations nightmare status, make pleas for more spending on IT security an easier sell, but that doesn’t mean the funding floodgates have been thrown open. Thus, a huge challenge is to spend precious funds on things that will do the most good. “We have to be surgical in how we invest,” Anderson says, and doing that well is a huge challenge.

“There’s so much noise about security,” he adds. “We are bombarded by information from the media.” While vendors tout the latest whiz-bang solutions, Anderson has been around long enough to know that marketing pitches can often exceed actual performance. One thing he is certain of: there is no silver bullet or quick fix.

It would be virtually impossible to stop every breach, so CISOs need to focus resources on the most potentially damaging threats. Timely information from resources like RCISC helps to ensure that security teams detect and respond to current perils and not waste time trying to shore up defenses against attack methods that cyber criminals abandoned months ago. In retail, the battle is compounded by the multitude of avenues—online shopping access points, point-of-sale equipment, etc.—that attackers can use to gain entry to critical systems.

The stakes are high, as are the consequences of failure. “Even batting .900 isn’t good enough,” Anderson says. “You can block nine out of every ten attacks and still suffer damage to the brand. It’s a stressful challenge. Just because you’ve had success for many years doesn’t mean you will continue to have success.”

The best approach is to focus on the policies, procedures, and technical tools that can do the most good. “You have to make strategic investments based on your particular business risk,” Anderson says. “You can do many things to lower the probability that you will be compromised.” Many attacks are fairly technologically unsophisticated, he points out.

Phishing, for instance, amounts to nothing more than trying to trick people into clicking on a malware-containing e-mail attachment. This hacking strategy has been around for many years, and stopping it comes down to employee training and behavior. “Employees can be your best line of defense or your biggest weakness,” Anderson notes. To make the employees at Safeway more of the former, Anderson and his team provided training on good security practices. Surprise tests helped to gauge progress. “I phished my own employees,” he says. How many fell for the trap was an indicator of how much more education was needed.

Stiff, formal tutorials are not going to get the best results. “You need a creative awareness program,” Anderson says. Providing regular messages about how data security can impact workers in their daily lives can be effective. During tax season, for example, cyber thieves try to obtain social security numbers to help them steal tax refunds. Relaying this information and how to avoid the worst consequences is a message that has widespread resonance. If employees adopt sound cybersecurity habits in their personal lives, they are apt to bring those behaviors into the workplace.

In fact, human behavior is central to Anderson’s security philosophy. While it’s important that basic core security elements are solid, ultimately they only take you so far. You must spend as much time and energy on implementing and updating best practices and procedures across the organization. “If you have poor processes,” Anderson says, “the technology isn’t going to save you from yourself.”