LONDON, United Kingdom — The criminals crawled in through the air conditioning unit. Sort of. In 2014, by using stolen authentication details from an air conditioning subcontractor, hackers gained access to Target's corporate network and stole the credit card data of 40 million customers. Target chief executive officer Gregg Steinhafel resigned, profits dropped by more than 40 percent in the following quarter and the company spent $61 million ($44 million was covered by insurance) on expenses, which included investigating the breach, lawsuits and offering identity-theft protection to customers.
Over the last decade, cyber attacks have become more frequent and as companies move their operations online, the effects have become more serious. Hackers can gain access to millions of customers’ personal data, obtain intellectual property like design files (which are now commonly stored online) or force a company to take down its website and lose sales. According to PricewaterhouseCoopers, from 2009 to 2014, the overall volume of detected data breaches grew at an average of 66 percent per year. “It’s not a matter of if, but when you will be attacked,” says Troy Leach, chief technology officer at the Payment Card Industry Security Standards Council.
According to Leach, most cyber attacks are committed by organised crime networks. E-commerce companies are particularly at risk, because they collect large amounts of data on active customers, which has a higher value than generic lists of credit card details on the black market.
Several major fashion companies have already been targeted. In 2014, 1.1 million credit card details were exposed in a three-month attack on Neiman Marcus, while Patagonia, footwear retailer Office, clothing retailer Bebe and discount department store Kmart have all suffered breaches in recent years.
So, how can fashion companies protect themselves and their customers?
KNOW YOUR VULNERABILITIES
Cyber threats change every day, so trying to single out a specific threat is “like trying to shoot a pigeon with a shotgun,” says Richard Zaluski, president and chief executive officer of the Centre for Strategic Cyberspace and Security Science. However, by identifying the weak links in their systems, companies can minimise risk.
Most data breaches occur through email, through human errors like sending documents to the wrong address. “After that, it comes down to cloud collaboration,” says Zaluski, pointing to file-storage platforms like Dropbox or MediaFire. “It does create risks for the business,” he says. Files stored in clouds are protected by the platform’s own cybersecurity measures — which a fashion company using the platform cannot control. An employee working from home can log in to a cloud platform and download files, exposing them to security risks on their personal computer.
Companies should work with their cybersecurity provider to create a tailored security package. Simple precautions like requiring employees to change their passwords every 90 days, removing administration-wide access to sensitive files and not using shared user IDs can help reduce risk.
“In 80 percent of data breaches, the businesses that were compromised weren’t even aware where the information that was compromised was,” says Leach. Today, most companies rely on third parties to store the large quantities of customer data they collect — and the location of that data can determine how safe it is.
“People think the cloud is a fluffy, nice thing. It’s not — it’s a server room somewhere,” explains Zaluski. “If it’s in the EU, the laws around information privacy are more stringent than India or China. China’s notorious for stripping out stuff they want a copy of. That’s how they do data mining.” We are more likely to hear about a breach in the US — 47 states have laws forcing companies to publicly disclose any data loss —but a 2014 report by Verizon analysed breaches from 95 countries.
Fashion companies should ask questions about the security precautions of their server providers, before entering into contracts: do they move data between servers in different countries? Do they use copy data onto a back-up storage centre? Much like the factories that fashion companies use to make their clothes, cybersecurity providers may subcontract work to another centre, in another country, without alerting their clients.
KNOW WHAT YOU NEED TO PROTECT
By and large, fashion companies have two types of sensitive information that hackers want: customer data and fashion designs.
Protecting customer data comes down to “really good authentication — being able to verify a customer is who they are, and demonstrate that the sensitive information going between the customer and the merchant is going to be protected at both ends,” says Leach.
To protect their designs, fashion companies should conduct a risk assessment of where IP data (such as design files or manufacturing instructions) is stored, the security assets in place to support that data, how that data flows through the company’s operations — including third parties like garment factories — and who has access to it.
The biggest risk to IP is “somebody within the business accessing data and taking it from the company, either to start their own business, take it to a new company or to sell it on to the dark net,” says Laurance Dine, managing principal of the investigative response unit at Verizon. Design files should be encrypted before being stored on servers or shared with third parties, access should be restricted to a “need to know” basis, and companies should look into new attribute-based or authorisation-based access controls, which govern access on a case-by-case basis, based on factors like location, network, time, user identity and past activity.
BE VIGILANT WITH THIRD PARTIES
Many fashion companies work with a range of third parties to do things like manufacture products, maintain their websites and process credit card payments. Each one of these is a potential hole for hackers to climb through and gain access to a business’s network.
Most businesses also buy a third party solution for cyber security. Having a tight business agreement with this third party is vital, says Leach. He advises companies to choose a reputable service provider and write into their contract that both companies will be held accountable for securing their customers’ data, and then make sure each do their part. For the fashion business, that might mean regularly updating firewalls and checking that third party factories or the company used to process payments also have stringent policies in place.
“Companies often think they’ve shifted responsibility by using a third-party company,” says Dr Guy Bunker, senior vice president of products at Clearswift, an information security provider. But in the event of a hack, the fashion business — not the security provider or, say, the air conditioning contractor — stands to lose the most. “The entire business of e-commerce is built on trust,” says Leach. A data breach can ruin that.
COMPLY WITH LAWS AND INDUSTRY STANDARDS
Recent changes to the law are giving companies even more incentive to tighten their data security. Changes to EU law, which the EU Parliament is expected to approve this month and bring into effect in 2018, will mean companies that suffer breaches must disclose the incident to EU authorities within 72 hours, and risk facing fines of up to 4 percent of global revenue for not complying with the new data protection regulations. “The amount of the fee is really scaring [retailers]… we are talking about up to €130 million (about $141 million) and even more,” says Gabriel Leperlier, Verizon’s head of Continental Europe advisory services.
Last July, the US Seventh Circuit court also made it easier for consumers to sue companies over data breaches, when it reinstated a class action against Neiman Marcus over a 2013 hack, ruling that the theft of customers’ financial information resulted in an "objectively reasonable likelihood" that an injury will occur. Previously, companies could avoid data lawsuits because the victim couldn’t show an “injury.”
Industry standards like the Payment Card Industry Data Security Standard (PCI DSS) require companies that work with card brands including Visa, MasterCard and American Express to comply with data controls, including encrypting cardholder data, building a firewall around it and tracking all access to network resources.
But aside from a few US states, the PCI DSS is not a legal requirement. A 2014 study by Verizon found that four out of five companies failed at interim assessment for the standard. “When we investigate breaches, we don’t see a lot of companies that are PCICSS compliant,” says Dine. Problems amongst these companies included not keeping security systems up to date, not running regular scans for threats, and not changing passwords every 90 days.
HACKS ARE INEVITABLE
Businesses must plan for when something goes wrong, whether it’s an employee emailing confidential files to the wrong person or a firewall or antivirus software hack. “It’s one thing to have a policy, but in my experience, the majority of businesses are unable to execute that policy when the data breach actually happens,” says Leach. He recommends cybersecurity “fire drills,” to improve the response from employees and the company’s security solutions provider, and “penetration tests,” which involves acting as a hacker and trying to attack your own network, in order to find weak spots.
In a survey of over 1,200 companies, hackers were able to bypass preventative measures, like firewalls and antivirus software, 97 percent of the time. “That kind of preventative tactic is not sufficient. It needs to be augmented with detection analysis and response,” says Joshua Goldfarb, chief technology officer of emerging technologies at network security company FireEye.
Cybersecurity “has to be part of business as usual,” says Leach. According to IT research firm Gartner, worldwide information security spending reached $76.9 billion in 2015 and is expected to reach $170 billion by 2020. But targeted efforts around a company’s most sensitive assets can be as effective as blanket coverage of lower-impact defences like firewalls. “Security is not about having millions in cash and buying firewalls. It’s more about doing the right thing [at] the right moment,” says Verizon’s Leperlier.
“Target is a huge company. They’re going to have an infrastructure [and] technology in place to prevent this stuff — and they still get hacked,” concedes Zaluski. “You will always be behind the curve on a hacker. It’s just the nature of the beast.”