LP Magazine

JUL-AUG 2014

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/352439

Contents of this Issue


Page 18 of 68

We find them interesting and attractive in different ways and at different levels. We quickly trust them and believe their sincerity. The other partner may appear cordial and friendly, more reserved or withdrawn, or even more negative or hostile. But this one person brings us together and makes us want to establish a friendship. When it comes to data-security issues, the data breach has that partner—the one that draws us in and seeks out our trust and friendship. In many ways this intimate colleague is critical to the success of both the marriage and the extended relationships—attracting new and unsuspecting individuals on a daily basis. In this partnership the veiled bride is social media. The Power of Social Media By using web-based and mobile technologies to turn communication into interactive dialogue, social media creates an effective channel for individuals and groups of people to connect, interact, create, and share. With businesses constantly positioning to make news, build their brands, improve communications, and grow their customer base, companies are using email blasts and a plethora of platforms to include Facebook, Twitter, LinkedIn, and YouTube to market their products and services. These powerful communication tools can have significant influence on awareness, acceptance, and behavior. They play an important role in many marketing strategies and are also a common vehicle used by many of our employees to network and communicate with one another. Unfortunately, these same resources are opening doors to many of our data-security issues. Finding the Weakest Link "When cybercriminals are looking for ways to breach our systems, the starting point to penetrate our information typically has nothing to do with the use of credit cards, even when that's the information that they're attempting to obtain," says James Foster, founder and CEO of ZeroFOX in a conversation with LP Magazine. "But they have to get in somewhere. So what is the best way in? Attackers will look for the weakest link and a way in that exploits or manipulates the system at a point of vulnerability. They'll often use tools that have mass adoption—even if it fails a thousand times, the one time it does work gets them in. They are looking for a more covert way to get into the system—one where they can feed on the user's trust and delay detection. When you put it together, the easiest venue to leverage is social media." In our push to get ahead in the highly competitive world of business, Foster commented that information technologies must reap immediate benefits. As a result the technology can be significantly ahead of the controls. "Security measures can lag behind three to five years," he added. "A company's number-one asset is its people. This is a common thread, and a prime opportunity for access. Ninety percent or more of the malware is getting in through social media." Foster went on to describe a simple scenario as an example. If a hacker wants to break into XYZ Company, they may create an online persona that mirrors the brand's logo, verbiage, and marketing style. They build the false content using one of many social media platforms, along with a link that says "XYZ Company Rocks." If an employee were to open the link, it can then open the door for the hacker to breach the company. While it may sound like a simple strategy, hackers have become experts at disguising their intensions—and it may only take one unsuspecting employee to be successful. Regrettably, this is only a single, basic example of a problem with prospects only limited by the imagination and ingenuity of the hacker. This is the challenge, and only one of many issues that we can face. Defense in Depth So, how do we combat these problems? "Unfortunately, existing plans are ninety percent reactive, which is like patching cracks in a dam with bubble gum." Foster says. "There has to be a plan, a defense-in-depth strategy that proactively addresses data security." In the information world, it's about firewalls, intrusion-detection systems, two-factor authentication, and encryption. These defenses are layered to make them more resilient. But there has to be more. Our defenses must include a plan and a partnership that effectively creates a unified team to combat these threats. This involves a comprehensive approach that would include the following: ■ A knowledgeable and educated team that communicates well and works together. ■ A diverse team that can provide different perspectives and offer comprehensive value. ■ Expert external opinions that provide guidance and will objectively review the plan. ■ An adequate budget. ■ Privacy and compliance policies. ■ A framework and foundation for governance. "As retailers expand their offerings and push online services, internal and external policies, roles and synergies must be BUILDING A NEW DEFENSE TEAM Hackers and like-minded mercenaries wage war using information technology to assault our computers and information systems through cyber-related strategies. In the retail space we primarily have thieves looking for personally identifiable information that can be exploited and turned into cash. But there are other groups as well. There are groups targeting organizations for their research-and- development assets, intellectual property, and corporate strategies. James Foster 18 JULY - AUGUST 2014 | LPPORTAL.COM

Articles in this issue

Links on this page

Archives of this issue

view archives of LP Magazine - JUL-AUG 2014