What the CEO's Are Reading
The Robin Report: The Top Target for Cybercrime: Retailers
The pace of change over the past few years has been truly astounding. It’s easy
to forget, but most of us began our professional lives long before Al Gore
invented the internet. Smartwatches were once only worn by Dick Tracy – and
Maxwell Smart walked around on the world’s only mobile phone.
Fast-forward to today, and organizations of every size and in every industry
have become wholly reliant on computers and data. From customer insights to
logistics; from ecommerce to HR; from social media to financial transactions,
every aspect of every organization has become data dependent.
As data has increasingly become the essential essence of organizations, the
lifeblood of business and the currency of commerce, security has not kept pace
with opportunity. The same data that is now essential to our operations is
increasingly putting our organizations at risk.
Global cybercrime will cost the world economy $6 trillion annually by 2021 (yes,
that’s Trillion, with a “T” –the equivalent to the GDP of Japan), and the
problem is rapidly getting worse. What began as cyber-hijinks in the 1980s has
devolved into an existential threat to organizations in every industry. Malware
attacks have increased by 2,000 percent over the past decade. The ten biggest
data breaches in history have occurred over the past five years – and ransomware
cost organizations $11.5 billion in 2019 alone. It’s little wonder why Gini
Rometty, CEO of IBM, has said, “Cybercrime is the greatest threat to every
company in the world.”
Retail Blues
Cyberattacks have become the most
preventable and consequential threat of our times. Malware, hacks, phishing,
botnets, trojans, worms, keyloggers, virus, spyware, adware, ransomware, SQL
Injections, DNS and Man-in-the-Middle attacks, The problems multiply every day.
As if the ubiquity of cybercrime wouldn’t be enough to keep the C-suite and
Board regularly reaching for antacids, a recent report examining millions of
hacks that occurred across over 4,000 organizations in 2018 showed the top
target for cyber-attack to now be Retail.
Surprised? Don’t be. Hackers attack retailers for the same reason Willie Sutton
robbed banks: “Because that’s where the money is.” In an age when data is
actually more valuable than money, hackers know where the most valuable data is
– and where it is left largely unguarded. Personally Identifiable Information (PII)
and credit card data have become the most common commodities sold on the dark
web. And unlike digitally transacted currency, these ill-gotten gains can be
transferred, sold and resold infinitely, and nearly for free.
If you hack a bank, you have a few pressing problems on your hand. Somehow,
somewhere, someone has to retrieve the proceeds, which means transferring those
ill-gotten gains into a brick-and-mortar bank for withdrawal. And while the Feds
will be hot on your tail if you take a thousand dollars from Wells Fargo, the
two perpetrators of the 2013 Target hack walked away with PII on 41 million
customers – and were only caught by dumb luck when they tried to cross the U.S.
border.
Cops and Robbers
Vexing as the challenge of cyber criminality may be, it is only the tip of the
iceberg of a truly titanic challenge. In the topsy-turvy world of today’s
technology, well-intended privacy legislation may occasion an even greater risk
to your company from the cops than from the robbers. Those hackers that targeted
Target? Adding insult to injury, Target was fined $18.5M subsequent to the
breach, for the privilege of being robbed.
Along with the extraordinary upticks we’ve seen in cyber-crime over the past
five years (malware, ransomware, hacks, data breaches, etc.), a spate of
draconian new laws have recently been enacted — and several more are about to go
into effect in January 2020 — that could prove to be a serious gut-punch to
retailers.
The California Consumer Privacy Act (CCPA), which will apply to any company with
data on more than 50,000 consumers or more than $25 million in gross revenue,
carries fines of up to $7,500 per customer record for non-compliance. In
addition to the recently passed New York SHIELD Act, the Empire State is
expected to pass a version of the CCPA that will make California’s laws look
like a day at the beach.
And let’s not forget HIPPA, GLBA, the Children’s Online Privacy Protection Act,
the Massachusetts Standards for the Protection of Personal Information of
Residents of the Commonwealth, the NY Cybersecurity Requirements for Financial
Services Companies, and the SEC Statement and Guidance on Public Company
Cybersecurity Disclosures – which now mandates compliance with cybersecurity
standards by all publicly traded companies.
All that, of course, is just on this side of the Atlantic. For those companies
doing any business in the UK or Europe, there is GDPR; the notorious EU
regulation that specifies standards for data protection and electronic privacy
and which can occasion fines of up to €20 million or 4 percent of annual
worldwide revenue of the preceding financial year, whichever is greater.
Topping them all… Senator Ron Wyden (D-OR) recently proposed legislation that
would result in (would you believe) jail time for CEOs found to be negligent in
their duties as data fiduciaries.
Robots to the Rescue
What would you do if the manager for one of your retail locations made it a
habit of going home for the evening and leaving the doors wide open, the alarm
codes taped to the wall, and the registers full of cash? The cyber equivalent
is, I’m sorry to say, far worse than that – and it happens every day.
Despite all the changes we’ve seen over the past few decades, network security
systems have remained largely unchanged since the 1980s. Potential threats, when
(if?) identified, are submitted through a ticketing system that is then checked
against a blacklist of known offenders. The “more sophisticated” systems do
pretty much the same thing; with the exception of relying on profiles that (in
theory) can find bad actors that bear a resemblance to previous perpetrators.
Any cybersecurity professional will tell you that this approach is like hiring a
sleepy security guard with a clipboard to sit at your cyber-door. Given the
inherent limitations of the approach of these obsolescent systems, it is no
wonder why companies now take an average of 197 days to notice a data breach.
The Volume, Variety, Velocity, Virality and Viciousness of cybercrime has
transcended human capabilities. The only way for retailers to meaningfully meet
their cyber security and data security needs is for robots to come to the
rescue. Artificial Intelligence enabled cybersecurity solutions that incorporate
a composite set of capabilities – including Signal Detection, Natural Language
Processing, Robotic Process Automation, Machine Learning, and Deep Learning –
have become the only real way to keep the bad guys at bay and your executives
out of court.
Stay tuned for future articles in which I’ll explain – in non-technical, plain
English, without any code or math – how AI can do the voodoo it does to protect
your people, property, places – and profits.
Article originally published on
therobinreport.com