Retailers' In-House Security Not as Solid as They Think

Retail executives suffer from a false sense of security regarding how their employees follow procedures to keep payment data safe — especially at this time of year when companies hire seasonal help, yet provide those temporary employees with access to account information.

San Francisco-based Bay Dynamics wants to paint a truer picture for retailers by monitoring and analyzing in-house security practices and employee behavior patterns, while providing solutions to tighten gaps.

Far too many employees, about 61% of temporary employees and 21% of permanent employees, share log-in credentials for corporate systems that have access to consumer accounts, Bay Dynamics found in its recent research focusing on data security during the holidays. In addition, executives don't know which systems their temporary, and some full-time, employees access or if they ever let sensitive data leak out, the report said.

Through Osterman Research, Bay Dynamics conducted a survey last month of IT decision makers at 125 large retailers in the U.S. of at least 2,000 employees.

Bay Dynamics engages in behavior analytics of company employees and third-party vendors to establish proper daily behavior and red-flag the type that might stray from the norm. After its research, Bay Dynamics advises the retailer client on potential solutions and needed upgrades.

"When we talk to executives, we hear them say they want to use data analytics and the tools they have in place, but when we talk to the IT practitioner actively managing security, we find they are sort of stuck into what was good practice five years ago," said Ryan Stolte, chief technology officer for Bay Dynamics.

Most often, that means companies deploy the easiest and fastest way to onboard employees by setting up shared accounts, Stolte said. "They have access to customer records, some having transaction and credit card numbers on them."

Retailers face pressure to deliver profits by selling products and avoiding breaches, Stolte added. "Unfortunately, sometimes they are cutting corners and the people at the top are not always aware of what is going on."

Criminals attacking retail networks often target the weakest link, that being humans and their tendency to take security shortcuts, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

Past security research has often pointed to the human nature of creating weak passwords, or using the same password for numerous accounts, as a significant security problem.In some breach cases, the third-party vendor is the problem, such as in the Target breach, where a contractor hadn't run a malware scan on their computer in months and was using anti-virus software designed for consumers, not businesses, Conroy said.

"You look at the Talk Talk breach that was announced in late October, where it turned out a 15-year-old was believed to be responsible, and it's clear that a lot of companies still are not embracing the fact that security is something that needs to be embedded in a company's culture to be effective," Conroy added. Talk Talk is a budget telco serving the UK and Ireland.Bay Dynamics tries to convince retailers they are not as well off as they think and encourage them to instill security awareness training, Stolte said.

"Phishing is going on all of the time," Stolte added. "Someone could walk in a store, see an employee's name tag and then figure out a password that fits."

At least 30% of retail workers have access to transaction data and records, Stolte said. "I find that astounding, but it goes back to encouraging customer service and staying available to the customer."

Five years ago, retailers could measure their success by customer service and having employees available to solve problems by accessing account records, Stolte said.

"Today we have a different problem," he added. "We have executives who think they are in good shape, but one compromised account gives the bad guys a lot of opportunity because there is too much information in those shared accounts."