Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Why Preventing Retail Breaches Requires a Team Effort

2014 is very much shaping up as the Year of the Retail Breach - nary a week goes by in which we don't hear of a new merchant that has been hit - but that shouldn't come as a surprise to anyone. Consider this: If Bonnie and Clyde were around today, they'd find hacking merchants to be easier and more lucrative than knocking over banks.

Indeed, retailers worldwide are awash in credit card numbers, which they accept via in-store purchases and on e-commerce websites. Despite growing awareness to the problem and prescriptive requirements promulgated through the Payment Card Industry Data Security Standard (PCI DSS), attackers continue to skill fully fine-tune their techniques to pull off massive data heists. As the 2014 Trustwave Global Security Report discovered, retail was the top industry breached last year - making up 35 percent of the attacks we investigated. Meanwhile, e-commerce comprised 54 percent of assets targeted in all of the data-loss incidents we examined.

According to recent analyst research, it also appears that retailers are not allotting enough money to deal with the problem. And others, it seems, are failing to recognize the risks at all.

A common misperception held by some is that this rampant run of merchant breaches can only be halted through the widespread introduction of fraud prevention mechanisms, such as chip-and-PIN. But that's not the case. These methods may reduce the likelihood of an attacker being able to use stolen information, but it will not prevent an attack.

Rest assured, however, that there are steps retailers can take to make them a less attractive target and push back the saboteurs. But to achieve this, a team effort from across the organization is required.

Here are three groups that must be involved:

IT managers/CISOs:

Malware must remain a top-of-mind concern for retail IT departments. We've told you about sneaky point-of-sale malware families such as Backoff, which comes equipped with advanced RAM scraping capabilities and can enter through third-parties to cause devastating breaches. For those organizations that simply lack the time, budget and resources to handle the situation themselves, they should consider offloading the responsibility to a managed security services provider.

Application/database managers:

Vulnerable applications, such as payment or e-commerce apps, are a common vector through which attackers establish an initial foothold in a retailer environment. The databases that support those applications must also be protected because they often contain the prized assets that hackers are after. Services such as vulnerability scanning and penetration testing, combined with web application firewalls, are critical.

Senior executives/CEOs:

Arguably the most well-known compliance mandate in existence is the PCI DSS. Merchants will need to validate compliance with version 3.0 beginning Jan. 1, and there are some big changes afoot, including new pen testing requirements and additional burdens on e-commerce merchants that redirect payments to third-parties. Failing to comply with the guidelines is a board-level issue because it can result in big fines, reputation damage, lost customers and potentially the stripping of the ability to process credit cards. Compliance with PCI DSS can never guarantee security, but it goes a long way to establishing a security baseline and reducing risk.

Dan Kaplan is manager of online content at Trustwave.

Latest Trustwave Blogs

Email Security Must Remain a Priority in the Wake of the LabHost Takedown and BEC Operator’s Conviction

Two positive steps were taken last month to limit the damage caused by phishing and Business Email Compromise (BEC) attacks when a joint action by UK and EU law enforcement agencies compromised the...

Read More

Defining the Threat Created by the Convergence of IT and OT in Critical Infrastructure

Critical infrastructure facilities operated by the private and public sectors face a complex and continuously growing web of security threats that are compounded by the increasing convergence of...

Read More

Behind the MDR Curtain: The Importance of Original Threat Research

Searching for a quality-managed detection and response (MDR) service provider can be daunting, with dozens of vendors to choose from. However, in its 2023 Gartner® Market Guide for Managed Detection...

Read More