A single solution for retail breaches?

Share this article:
Bank file class-action against Target and Trustwave over massive breach
The Target breach affected millions of customers, but was just one of many retail breaches.

In the wake of recent headline-grabbing breaches at retail chains, arguments quickly arose regarding what could be done in terms of prevention. Compliance, technology and regulations seem to be the overarching topics. However, could there be an overarching solution?

There's no denying the finger-pointing that has come about following these events. The blame game is mostly tied to the costs associated with breaches. Right now, fraud losses and other post-breach expenses are primarily covered by banks.

However, the retailer also has costs associated with supplying its customers with credit monitoring, as well as its brand reputation being affected. According to a study conducted by Javelin Strategy & Research (commissioned by security firm Identity Finder), of the 5,634 surveyed respondents, 33 percent indicated that they would avoid further business with a retailer following a breach.

46% 

The percentage drop in profits at Target in 4Q 2013, compared with the year before.

Source: Target

Nonetheless, the discussion surrounding who should foot the bill, while meaningful and hotly debated, doesn't solve the overarching problem. 

Many have argued in favor of legislation that will put pressure on retailers to step up their security game. Randy Marchany, CSO at Virginia Tech University, says that while he prefers that the government wouldn't get involved, the retail industry isn't doing enough to prove them otherwise.

“I wish it wasn't necessary for the feds to get involved but I don't see the industry acting in a manner to prevent that,” says Marchany. “I think the feds will enact legislation.” 

But could such a complex issue involving technology be solved by legislation? Jeremiah Grossman, CEO at WhiteHat Security doesn't believe so. He says that with any security problem, it's all about who's in the best position to effect change. In this case, he thinks it's all about the card brands and payment card system, which has been in place since the 70s.

“They could effect change but they're incentivized against it because…it makes them a lot of money,” Grossman says. “The system is perpetually broken. We have to disrupt it and change the way we think about the problem and do business. Look how the bad guys transact now, they [do it] in Bitcoin. They already figured it out.”

Cyber criminals are still working to crack a dated system. The question is: Can all entities involved with this problem work together to ultimately produce a solution that will finally put security ahead of the game?

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in 2 Minutes On

Best practices for removing admin rights: A step-by-step approach

Careful control of administrator rights in the very foundation of IT Security. Allowing admin rights exposes a dangerous security risk, creating an easy entry point for advanced persistent threats, zero-day attacks and sophisticated malware.

Mobile-derived credentials

It's more than a trend. Mobile devices are becoming the new enterprise desktop. But mobile devices require the same security considerations to access corporate intranets or securely sending and receiving email.

Catching up to the insider

Catching up to the insider

Have effective changes been instituted to protect organizations from other Snowdens or negligent employees?