Dissection of a Breach: Interview with Cy Fenton

In the last few years, cybersecurity has become top of mind for many retail organizations. From his posts at Books-A-Million, Cy Fenton has had a front-row seat to the growing threat landscape, and in 2014 he stepped up to chair the National Retail Federation’s IT Security Council, a task force dedicated to addressing threats head on. He discusses the organization’s first year and where it plans to go from here.

Sync: What is the state of technology and security in retail? How does that drive your work today?

Fenton: I’ve been involved with the National Retail Federation (NRF) for a long time, and it’s an industry group that gives small, medium, and large retailers a voice in Washington and in promoting retail. I sat on the NRF CIO Council, where we interact with other tech leaders, because even though our businesses are all different, everybody is trying to solve the same problems. We’re all dealing with large, powerful competitors like Amazon. We’re all trying to be relevant in the digital age . . . so it’s valuable to share problems, opportunities, solutions, and ideas. In 2013, we came together and realized how issues around security were starting to come to the forefront.

Sync: Did something specific make security issues more pressing?

Fenton: The incident with Target thrust it into the mainstream.

Sync: What was the atmosphere among your peers following the breach?

Fenton: CIOs have always been concerned about the security of our customers’ data, but after such a major breach, we all started thinking, “I wonder if my company is next.” Seventy million credit and debit cards were impacted, and the world became aware. In our January 2014 meeting, we decided to take action.

In the wake of the Target breach, we needed information, so we organized a conference call with iSIGHT Partners in partnership with the Department of Homeland Security. The security firm walked us through their technical analysis and postmortem on the Target incident. We had more than 120 people on the call, and realized we needed a safe place to talk about alerts and issues. That’s why we created the NRF IT Security Council, which I now chair.

Sync: Tell me about your vision for the group.

Fenton: We want to build bridges with vendors and government agencies like Homeland Security and the FBI to make alerts, information, and resources available to our members and all retailers. We have about 200 members now, but we plan to extend membership to retailers outside of the NRF, because it’s critical to get this information out.

We’ve established an alert mechanism that sends out notices from government agencies, and we’re looking at other important steps. We hold webinars and face-to-face meetings built around educating our group and the larger industry on best practices for securing our networks and understanding the threat landscape. We also talk about emerging technologies that help reduce the overall risk.

The NRF’s IT Security Council

Areas of Focus:

Networking and communications
The council brings together 190+ members for a common cause.

Real-time information exchange
Through partnerships with the Financial Services Information Sharing and Analysis Center and federal agencies, the council provides a forum where members can share information, ideas, problems, and solutions with their peers.

Benchmarking, research, and publishing
The council is working with NRF’s CIO subcommittee to establish risk-management priorities.

Conferences, webinars, and educational meetings
NRF’s IT Security Council is expanding its series of events in both remote and live settings.

Industry representation with lawmakers
Council members support a federal law to standardize threat response in the retail space and to ensure cyber crimes are investigated and prosecuted.

Early Success
In late July 2014, the Secret Service issued an alert about a POS malware called BackOff. The NRF system broadcast that alert the same day to more than 200 members. A member used that information to check 1,000 stores and found evidence of an early penetration. Because of the timely notification, the member was able to limit the attack to less than 2 percent of their store footprint.

Sync: How real is the risk?

Fenton: It’s real and it’s increasing. In the Target breach, we saw extremely talented hackers that were highly specific and focused on one company. These teams know as much about the tech infrastructure as the individual companies do, and they are smart, creative, and talented. I can tell you that inside the security community, we were amazed at their ability to move data around. A retailer’s relationship to our customer is the most important thing, and we need to guard their information zealously. After Target, the conversation went from “if” we get hacked to “when” we get hacked.

Sync: That paints a grim picture. What should a tech leader at a retailer do in the environment?

Fenton: You have to know the tactics and you have to know your systems. We have to be perfect, because all a hacker needs is one small vulnerability in a sea of access. It’s delicate, because our customers and associates need and expect wide access, but we have to keep the hackers out.

Sync: What new threats are you seeing?

Fenton: There’s a new and popular tactic called spear-phishing, which is a targeted e-mail attack on one person in an enterprise that has mid-level authority. It’s a direct, innocuous, and well-crafted e-mail. If that person responds, their computer or user credentials are compromised. The hackers are in, and away they go.

Sync: How should enterprise IT teams react?

Fenton: It’s like sweeping a desert—your work is never done. There are good vendors and good tools that help us see what’s going on in our networks. You have to redouble your efforts to try to know what’s happening in your own electronic boundaries in new ways. You have to realize that you can’t dig a moat deep enough or build walls high enough to protect your data. It’s about protecting the most important things. Your networks will always have a certain level of exposure, but hopefully the sensitive core stuff has been moved out and away from those most vulnerable places in a system of layered defense. The other thing you can do is make yourself more aware of what’s going on out there.

Sync: Beyond the loss of customer or private information, what’s at stake?

Fenton: Your company’s reputation. In today’s world of fierce competition, if you lose the trust of your customer because there was an event that wasn’t handled well, or if you’re playing fast and loose with security, you’re risking it all.

Sync: What happens to a post-breach retail company?

Fenton: Customer loss due to breaches is real. Large companies can lose hundreds of millions of dollars and alienate customers.

Sync: If I’m a CIO at a medium-sized retailer, what should I be doing?

Fenton: You need to realize that this is no longer an IT problem; this is an enterprise problem. Before, we had IT cyber-response plans; now we have company-wide plans to prepare for this eventuality. Last year, I was part of a war-game scenario at a conference where I was the CIO of a fake company that had a breach. We responded in real time in front of a large crowd of observers as news outlets responded, customers were calling stores, stocks were dropping, and the CEO had to respond publically. That’s what every company needs to be prepared for. We’re going to do that very exercise at [Books-A-Million] soon.

Sync: You mentioned a public response. When is a retailer obligated to make a breach public?

Fenton: There are different state laws that dictate this. The NRF is pursuing a federal standard on these laws, because most companies operate in numerous states.

When is the right time? The right time is when you have the right information. Companies do themselves a disservice by releasing inaccurate information. You don’t want to release early numbers about a breach only to come back and admit that early numbers were low. Create a company-wide response plan and practice it, so that when there is a breach, you can make a rapid response with accurate information.

Sync: Should consumers panic? Is it time to ditch plastic and move back to an all-cash system?

Fenton: Of course not. We live in a world that’s built on this great promise of the convenience that all this technology brings us. It brings some peril, too, but retailers and credit-card companies are moving to make sure this is all done in a safe and protected way.

Apple Pay is a perfect example. If a crook steals transactions from
Apple Pay, it’s a one-time use number that can only be used with that particular retailer. Card brands and retailers are implementing a number of solutions like tokenization and encryption, which disguises your information at the point of sale and uses a proxy number with the bank. There are great advancements coming soon.

Sync: Where will the NRF Security Council go from here?

Fenton: We’re working with other retail associations to do more together and push these best practices as wide as we can. We’re talking to large security conferences to add retail verticals to what they’re already doing, and we’re looking to take the lead in federal legislation. We’re doing all we can to make sure the customer’s information is as safe as possible in the retail world.