When there’s a major cybersecurity threat facing the financial services industry, members of that industry come together and share information through the Financial Service Information Sharing and Analysis Center (FS-ISAC).
When there’s a major cybersecurity threat facing the health care sector, members of that sector come together and share information through the National Health Information Sharing and Analysis Center (NHISAC).
When there’s a major cybersecurity threat facing the retail industry, members of that industry leak information to Brian Krebs or don’t share it at all.
The current spate of data breaches affecting Target, Neiman Marcus, Michael’s and now hotels operated by White Lodging show that sophisticated attackers have the retail industry in their cross hairs. Attackers have clearly determined that physical point of sale (POS) systems are the new soft target for credit and debit card information. In a way, this is to be expected: as security for online shopping has become more and more mature we’ve reached a point where it has surpassed the security of physical POS systems. As they always do, attackers have adjusted their tactics accordingly.
The breadth and sophistication of these attacks show clearly that these aren’t flukes: they represent the latest wave in cybercrime. Put simply: this situation is going to get worse before it gets better.
One of the most surprising things about this situation is the lack of anything like a Retail ISAC. The journalist Brian Krebs, who has played a pivotal role in disseminating information about these events, expresses his shock at the lack of any coordination between retailers at the end of a recent post. He’s not the only one: I am shocked by this as well.
A key learning from past developments like this is that the road to things getting better passes through the development of information sharing and analysis programs within the industry. To successfully combat this problem the retail industry needs to come together to form its own Retail ISAC and do so sooner than later.
To emphasize the importance of this, let me note that in hearings on the Target data breach on February 4, 2014, Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) remarked:
“Public confidence is crucial to our economy. If consumers lose faith in business’ ability to protect their personal information, our economic recovery will falter. Unfortunately, in the digital age, major data breaches involving our private information are not uncommon.”
Without a doubt, the breadth of these data breaches is starting to affect public trust in the retail industry. Brick-and-mortar retailers are already facing serious competition from their online rivals. A pervasive belief that online shopping is inherently safer than shopping in-stores will only worsen that situation. Quick and decisive industry action is needed both to protect customers and show them that the industry is moving to meet a great threat with great action.
Establishing a Retail ISAC alone isn’t enough. But it is a critical step that will help enable the industry to take other steps that will make a difference. The ISAC model is a proven one: it’s helped to better protect critical infrastructure, financial services, health care, maritime traffic, nuclear energy, and others. It’s time to add the retail industry to that list.