Seven things retail can teach us all about data security

TalkTalk’s Dido Harding isn’t the first CEO to receive advice from cyber experts safely installed on the This Morning sofa and she won’t be the last. The boardrooms of British Gas, Vodafone and Morrisons have all recently played data-breach bingo and we all now accept it’s ‘when’ not ‘if’.

But retailers have been dealing with theft for a very long time. They call it ‘shrinkage’ - when stock leaves a store by any non-legitimate route and surprisingly, shoplifting comes a distant second to theft by staff. Since retailers need staff they’ve had to concentrate on mitigation rather than eradication.

The information security community would do well to take heed here. The biggest tool most companies have against the insider threat - data theft by staff - is a strongly worded statement. Even then, access to information is so poor that management can’t deliver on any threats. Too much attention still goes on preventing the external attack – the shoplifter.

So here are some lessons Data Security can learn from our retail cousins.

  1. It’s opportunity not character

90 per cent of us would steal if we could get away with it; theft is about opportunity not character and retailers understand this. In a recent Loudhouse survey for Clearswift, 35 per cent of staff said they would sell company data, some for as little as £100. So, remove temptation by applying least privilege rigorously.

  1. The biggest threat is internal

Retailers start with goods receiving because that’s usually the biggest crime scene. Shoplifting comes a distant second. It’s the same with Technology, according to Forrester, 36 per cent of all data breaches involve employees directly, and the majority indirectly. A better firewall won’t stop the growing insider threat. Strong controls over who has access to what, will.

  1. People steal in the absence of a capable guardian rather than for economic gain.

40 per cent of retail theft in the UK was carried out by unsupervised staff such as management and security guards. In this context, a “capable guardian” means systems with the ability to understand what someone has access to and whether they should have access to it, and the ability to bring that to the attention of managers.

  1. Keep a tidy shop.

If a shop window remains broken, people think that no-one cares. If you don’t look like you care about who has access to your data, why should anyone else care? But if you combine a strong culture with technology that gives managers the information they need to manage the environment, you send the strongest possible message.

  1. Monitoring should be constant and part of a workflow

Relying on quarterly reviews to clean up access rights because you don’t have the capability to manage risk during the mover and request processes, is like only switching on the CCTV on bank holidays, rather than every time you leave the store.

  1. Communication is key

An element of all shrinkage prevention is communication. It makes the programme visible and sets expectations. The presence of a CCTV camera in a shop tells staff (and others) that someone is watching. An equivalent is needed when guarding data.

  1. Be proactive and start with the end in mind.

Retailers can’t afford to wait for shrinkage to become a problem. Loss control requires serious, regular attention in both the physical and electronic realm.

So concentrate on the internal threat, have a strong culture that values data security and make sure the systems provision, and review access supports that culture.

Mark Rodbert, CEO of idax

Image source: Shutterstock/Den Rise