March 27, 2015 —
The Internet is an integral part of any home furnishings business and often is a critical element. And yet, as almost any retailer will tell you, you’re only a click away from havoc if a link installs malware on the company computer. Anyone connected to the Internet is at risk.
“Cyber attacks are on the rise,” cautioned Michele Borovac, vice president of cloud control company HyTrust. “No company is immune and security must be a top priority rather than an afterthought or an insurance plan. The costs of these breaches are staggering—damaging brands, customer trust and, ultimately, the bottom line.”
Suburban Contemporary Furnishings owner Jeff Burt learned cyber security the hard way.
Photo: Doug Hoke
Nobody knows this better—or worse, as the case may be—than Jeff Burt, the owner of Suburban Contemporary Furnishings in Oklahoma City. Burt’s staff is allowed to use the Internet only to look at inventory, their customer base and similar information, but a couple of years ago, the store server started acting weird.
“When our IT guy came in to [check out the problem], he discovered we’d been hacked,” Burt said.
The hackers didn’t steal sensitive information—a common problem with today’s high-profile hacks. Instead, they used Suburban Contemporary Furnishings’ server as an email base.
Burt was told it was common for hackers to use a server to email solicitations for drugs such as Viagra and other items. In Burt’s case, the hackers used the server as a ‘ghost’—a place to send email that could not be tracked.
Once the breach was discovered, the server was cleaned up and the passwords changed. That’s when things went from bad to worse. After the passwords were changed, the IT person was supposed to share the new password with the store’s backup system so it could resume backing up data every day like it was supposed to. He forgot.
“We just assumed it was backing up and doing what it needed to do,” Burt said. “Almost a year of information was corrupted because the system was not backing up. It was a hideous lesson to learn.”
Burt’s store lost 14 months of financial information plus inventory, invoices and bills—all because the password was not shared with the backup server.
There’s a reason retailers find themselves in the news more than other industries when it comes to cyber attacks.
“Retailers have always been the low-hanging fruit for attackers since they don’t spend as much as banks and government entities in cybersecurity,” Lawrence Pingree, research director covering cybersecurity at Gartner, Inc. told The Wall Street Journal last fall.
According to Pingree, retailers spend about 4 percent of their IT budgets on cybersecurity, while financial services spend about 5.5 percent and healthcare spends 5.6 percent.
A recent Verizon study reported that small businesses are the most likely victims of all businesses attacked by cyber criminals. Close to half of all of the confirmed data breach incidents Verizon recorded last year occurred in companies with fewer than 1,000 employees.
Small businesses that employed fewer than 250 workers experienced a significant increase of cyber attacks by as much as 18 percent from the previous year.
Attacks are usually more damaging for small retailers compared to the Targets and Home Depots of the world. “Per capita, data breaches can be more costly for small companies, especially those with fewer than 250 people,” said Larry Ponemon, PhD, chairman and founder think tank Ponemon Institute. “External hackers often see small business as a stepping stone to big businesses.”
Jeremy King, international director for PCI Security Standards Council, explained that most criminals are likely not in the same country or on the same continent as the businesses they invade.
The cybercriminal is “looking for Internet addresses,” King said. “He doesn’t see a retailer, but an IP address and he will target that IP address to see if it is connected to anything. [Once he] has found a way in, he will look around for vulnerable data and organizations that don’t have a good level of security.”
King added, “You need to think of security as one issue. Understand where cardholder data is in your system and make sure if you don’t need it, don’t keep it. If you do keep it, keep it securely. Shred data you don’t need and make sure it’s gone.”
“Cyber protection is a broad term and can encompass anything from anti-virus, to access controls, to auditing and alerts,” said HyTrust’s Borovac.
“Attackers are smart and they are getting in largely undetected because they are able to look like insiders,” he said. “Once they have control of a privileged user’s credentials, they can move around at will. Don’t forget to both monitor and control what insiders [like employees] can do as well as keep the bad guys out.”
Although passwords are not entirely effective as a security measure, Poneman stresses that each employee needs a unique, strong password that should not include personal information like anniversaries, children’s names or birthdates, or similar information.
Poneman also urged encrypting any stored data with good encryption security. Retailers can download a reputable encryption program from a trusted website or access a virtual private network.
“Hackers use all kinds of software to mirror passwords. That is why upper case, characters and combinations are important,” said Carolyn Crowley, the president and founder of Myriad Software. “Seasoned hackers can still find that information, so you need to change [passwords] often—even if that is once a year—to ensure you are protected.”
However, cautioned Borovac, “Passwords can be broken, given enough time and computer power. This makes the practice of using two-factor authentication even more critical for any account that holds sensitive data. Two-factor authentication combines something you know—like a password—with something you have—like a token.”
A security token, also known as a key fob, is any device that can be used to authenticate authorization—it acts like an electronic key to gain access. The authorized user may have to enter an alphanumeric code, fingerprint, or PIN.
Most businesses are PC-based, but some use Mac computers, believing that Apple technology is more secure. Cyber security expert Gary Miliefsky agrees that Macs are only marginally safer. “It is a harder system to break, but recently has been broken,” he said. “A new malware now exploits Macs and not a lot of anti-virus solutions on this platform can keep up.”
In addition to encrypting everything on all machines, regardless of whether it is a PC or Mac, Miliefsy suggests retailers “assume you are already hacked and clean up your malware.”
Jeff Selik, the owner of Hillside Furniture in Hillsboro, Mich., is a Mac devotee. “Everything is password controlled and only two people have access. By minimizing the number of people who can log in, it keeps it pretty clean,” Selik said.
“A lot of our stuff is done on Mac, which generally is not as attacked,” Selik added. “Once the iPads and iPhones came out, we realized their functionality as a business tool. All our sales consultants use iPads, iPhones and their personal computers, which are usually Macs. Everything communicates very easily.”
Selik knows the power of technology in the hands of a retailer. “Technology can either put you out of business or make your business,” he said. “I don’t feel I am enough of a blip on the map for anyone to try to hack us. We get a ton of email spam with attachments, but we clearly just don’t open those. Hillside is always on the cutting edge of contemporary and technology. We budget for technology as a very important investment in our company, use strong passwords, have a strong firewall and are PCI-bonded for transmission of credit cards over the Internet. We keep only customer email addresses, addresses and phone numbers. We work with Myriad and have an advisor who will come in if something needs to be fixed.”
“Since 2007, we have not had anyone breached,” said Myriad’s Crowley, whose company developed an integrated business package specifically designed for home furnishings retailers to manage sales, inventory, customer histories and other workplace related tasks.
“Retailers must trust the gateways they use. A stand-alone machine is pretty secure, however hacking doesn’t always come from the Internet or credit card machines. Sometimes it comes from disgruntled employees. Everyone is concerned with hacking,” Crowley said.
“A comprehensive security strategy starts with assuming the bad guys are already inside,” said Borovac. “Automate security when you can to remove the possibility of human error. Make sure that security becomes a strategic objective at the highest levels of the company.”
Detecting a breach
“Good, outsourced computer support resources are important if no one on staff is IT savvy,” said Crowley, who also urged retailers to make sure firewalls and software including anti-virus software, spyware and malware protection are updated. “Be sure to conduct an annual review of what you have in place for your company’s protection,” she said. “Check to make sure all your servers and equipment are updated.”
Should a breach occur, Crowley advises retailers to shut down whatever system the breach is coming through. “Maybe the settings or firewall are not right. Have your IT people look into it without leaving [the system] open; shut the server down until someone can check it out.”
“Nothing is foolproof,” said Miliefsky. “Businesses should effectively train employees, harden systems, detect and remove Remote Access Trojans (RATs), deploy full disk encryption and real-time backups, defend against phishing attacks and manage the Bring Your Own Device (BYOD) dilemma. Have a separate Wi-Fi for BYOD. The free TrueCrypt is amazingly powerful at encryption.”
Any “outbound traffic when no one is touching computers” is one sign of infiltration, he said. “Test the outbound traffic logs after work for anomalies. Be alert to more ‘spear phishing attacks’ and ‘zero day malware’ rats.”
Incident response plans
Crowley adds that it is important to have an “incident response plan” in place should a breach occur. “It is no different than if you had a major power outage or catastrophe [like a tornado],” she said. “Always have a plan B.”
What does a good plan look like? It will provide the name and contact information of who will serve as spokesperson for the business, emergency contact information of key staff, including all ways they can be contacted, statements that can be provided to the media until more information can be assessed—like ‘everything possible is being done to protect sensitive information’—and a plan and vehicle for notifying those impacted–both internally and externally.
“The more prepared you are,” said Ponemon “the less likely you are to be in a ‘disaster’ situation. Companies [exist] that can provide plans that tell you what to do, when to do it, how to do it and who to contact, and have tools to help you. It is important to consider the impact of the breached data lost rather than at company size; there are a lot of required measures that must be taken as follow up that would be very costly.”
Ashley Furniture HomeStore in Springfield, Ill., does not have a written disaster plan of its own, said Barbara Seidman, but does “contract with a local technology company that takes care of any and all computer issues, including breaches. This is an ever-evolving challenge.”
Burt cautions fellow retailers, “Don’t assume anything. Always look at your system and check it. You have got to keep your eyes on it all the time. It’s a fact of life.”
Sue Masaracchia-Roberts is a freelance writer, editor, and public relations consultant based in Chicago. She has more than 25 years of experience in public relations and writing. Her specialties are the fields of manufacturing and small business.