Secure the value chain. Risk management in the omnichannel consumer and retail environment

Transcription

1 Secure the value chain Risk management in the omnichannel consumer and retail environment

2 Table of contents See the dark side 2 of security Review developing 2 security trends Address organizational 3 challenges See the downside 4 of inaction Think like a bad guy 4 Use a lifecycle approach 5 Disrupt the adversary 6 Manage risk and 6 compliance Extend security 6 capabilities Consider a partner 7 Gain benefits from a 7 secure value chain Move Forward 8 now is the time Interactions take place anytime, anywhere. This better serves customers and drives innovation. It also exposes organizations to attack by sophisticated, determined cyber criminals. To protect sensitive information, companies need to manage risk and secure the retail value chain. It requires integrated security to support a direct-to-consumer experience and the New Style of Business. See the dark side of security As consumer industry companies and retailers evolve to serve customers across new media, devices, and distribution channels, they face significant security challenges cybercrime. It s a threat across industries, national borders, and enterprise systems and the risks are growing. The nature and motivation for attacks are changing. The objects of opportunity games of chance are being replaced by targeted, sophisticated, and lengthy incursions. In a 2015 analysis commissioned by DXC Technology, Ponemon Institute found the mean annualized cost of cybercrime for 252 organizations was $7.7 million, and ranged from $31,000 to $65 million.1 The companies studied experienced 477 successful attacks per week, averaging 1.9 successful attacks per company per week. The most common cybercrimes were caused by malicious insiders, denial-of-service (DoS), and web-based attacks. Other studies indicate the scale of the threat continues to grow. The annual cost to the global economy from cybercrime is now more than $400 billion.2 This creates an adversary marketplace that has become more specialized, efficient, and lucrative. Review developing security trends Security in the consumer and retail sectors is affected by emerging technologies, changing point of sale (POS) systems, and new regulatory and data realities. As the threats and risk of breaches continue to grow whether internal or external, malicious or unintentional, it can result in serious damage to brand reputation and customer relationships, stakeholder losses, and compliance issues Cost of Cyber Crime Study: Global Report, Benchmark Study in Six Countries, Ponemon Institute, October, Net Losses: Estimating the Global Cost of Cybercrime, McAfee, 2014 A New Style of Business, driven by cloud, mobility, social media, and data analytics, can support growth and innovation. -facing organizations work to mobilize web, applications, and transactions. Many use locational and other context-based systems to improve offers and customer service. They are leveraging IT to personalize the customer experience, and using social media to reach and influence today s more connected consumer. Yet, those same New Style of Business technologies are creating significant new security problems for your organization. As more data is collected and used via increasingly personalized loyalty programs, more robust purchase histories, mobile transactions, and social media analytics companies struggle to protect that information. 2

3 Regulatory pressures are intense. Your company must ensure user security, protect sensitive customer data, and comply with a myriad of regulations and laws. You must also defend yourself against fraud, legal, and regulatory exposure, and the negative brand impact of a poisoned reputation. Figure 1. A more open environment poses more risk Retailer Retailer Retailer Supplier company Distributor Retailer Supplier Supplier The modern POS environment must accommodate multiple form factors everything from smartphones and tablets to other types of devices while addressing financial and Payment Card Industry (PCI) considerations. Organizations must ensure a secure transactional state across a growing range of technology domains. These realities expose your organization to new forms of impersonation and man-in-the-middle attacks. The omnichannel environment relies on a more open, essentially borderless information flow. This new model is defined by cross-channel availability and integration, extended and more collaborative supply chains, and the demands of mobile payments and other nontraditional transactions. So, enterprises must find ways to implement governance, risk, and compliance frameworks across their extended enterprise of partners, suppliers, and customers. To secure this new information environment, you must address network access and availability, authentication, data security, and the broad issues of information security-related governance and compliance. Address organizational challenges The omnichannel approach requires more reliable and ubiquitous availability from critical systems; yet most traditional security models are still siloed, heavily fragmented, and reactionary in nature. Many consumer companies and retailers have poor enterprise visibility, with uncoordinated reporting of security information and a heavy reliance on legacy point solutions. Many have not prioritized key assets or effectively allocated security resources. Skill shortages often hamper development and deployment of effective security systems. 3

4 Many consumer industry companies and retailers lack unilateral threat intelligence, proactive analytics, and the ability to make informed risk-based business decisions. And few have the internal capabilities to holistically manage risk or address the complexity of today s regulatory environment. See the downside of inaction The consumer and retail sector has lagged in making needed security-related technology investments. Yet as research and experience show, inadequate risk and security management can and does lead to serious and expensive problems. Unless care is taken to protect transactions and customer data, organizations can face substantial liability exposure via payment processors and regulatory bodies. Poor security drives eventual increases in operational and compliance-related costs. When sensitive customer data is breached, remediation costs can be high, and damage to brand reputations can be devastating and long lasting. Think like a bad guy To truly appreciate the importance of security in the consumer and retail sector, it may help to better understand the nature of today s evolving cyber threats. The adversary attack ecosystem is now a sophisticated, global criminal enterprise. This black market is defined by a highly varied group of players, ranging from nation states and state-sponsored groups to large criminal syndicates and the more popularly recognized hacker, activist, or individual cyber criminal. Specialization is increasingly common, with groups and individuals now focused on creating and selling attack-oriented information, tools, and services; acting on intelligence designed to compromise enterprise security; and monetizing the results of those breaches across the criminal ecosystem. Figure 2. Today, attackers are increasingly patient, specialized, and sophisticated Security Our enterprise Infiltration Their ecosystem Discovery Capture Exfiltration Security 4

5 Take control To optimize data security and risk management across an omnichannel environment, you need to address business- and technology-level requirements. Business level At the strategic level, robust security requires enterprise- risk management to use a single lens approach to visibility, and end-to-end cooperation from suppliers. Quantitative measures are used to evaluate risk, and advanced analytics can help balance risk perception against mitigation spending. Technology level At the tactical level, you can address the realities of borderless information flow by recognizing threats from insiders, third parties, and partners. Supply chains should be subject to risk assessments and compliance policies. Risk and threat actor profiles must be updated regularly, and scanning and vulnerability management should address security across the application lifecycle. Retailers and others should address privacy and domainspecific concerns related to still-emerging social media. Sensitive consumer data should be anonymized, stored, and used appropriately, and domains must be analyzed and protected. Finally, a robust security monitoring and response posture must include threat intelligence, sentiment analysis, and analytic fraud detection capabilities. Breach management must address readiness assessments, continuous monitoring, incident response, and digital forensic services to analyze and remediate vulnerabilities. These bad actors select individuals, enterprises, and government entities based on specific objectives of financial gain, capturing intellectual property (IP), or disrupting business or public activities not on random chance. Major attacks are now seldom smash-and-grab incidents. Instead, threat actors have become very patient, because they know time is often on their side. Many are willing to invest significant time and resources into researching enterprise ecosystems, infiltrating defenses, discovering valuable assets, then exploiting less-than-optimized IT security to capture those resources. After the initial breach, successful attackers often sell access points, profiles, passwords, and other sensitive enterprise information to the highest bidder. So other specialists in the black market exploit and monetize that intelligence and continue to victimize the retailer and its customers. As a result, the bad guys are more efficient at creating, sharing, and acting on security intelligence. To respond, the consumer and retail industry must understand and defend against this full threat lifecycle. Simply blocking access will not suffice; you must adopt proactive, adaptive security postures capable of disrupting adversaries at every step in their process. This requires educating users and using counter intelligence methods and details. It s essential that your organization identify and protect critical assets, including customer account information, enterprise IP, and other valuable data, and deploy advanced blocking technologies and policies. Because attackers can and will find ways to penetrate even the best defenses, your organization must establish and be ready to implement robust plans to detect quickly, respond swiftly, and mitigate the damage from a breach. By thinking like the bad guys, your organization can better protect its companies, employees, partners, and customers. Use a lifecycle approach A proactive, adaptive security posture is recommended. This posture should align security to business needs and risk tolerance, and improve risk management while controlling costs. Ideally, organizations should adopt a logical pathway toward an optimized risk posture; one that leverages the proven, phased approach of assessments, transformation, and ongoing management. It s necessary to assess current environments, and build a roadmap to envision where your organization wants to be. Using that roadmap, you can transform your security program to address gaps and better manage risk and opportunities. All this sets the foundation to manage your security environment proactively, keeping you agile and ready to respond quickly to business and security needs. While no enterprise can be 100 percent secure, product- and consumer-oriented organizations can deploy more proactive, holistic strategies for information security and risk management. To combat adversaries and remain agile, three strategies are recommended to disrupt, manage, and extend an organization s security capabilities. 5

6 Disrupt the adversary In a constantly evolving threat environment, consumer industry companies and retailers must adjust as bad actors become more specialized and efficient. So, instead of focusing on only erecting static barriers in hope of keeping adversaries out, your organization should work to proactively disrupt potential attacks along the entire lifecycle of a threat. This kind of aggressive defense requires investment in detection technologies capable of identifying critical information assets, and security threats and vulnerabilities. Preventive capabilities should address the full threat environment from the application to the bios layers and use advanced techniques such as self-healing technologies, crowd-sourced intelligence, and internal and external protective measures. Are you ready? Take the following steps to ensure data security and risk compliance of your complex, multichannel business environment: Evaluate your overall security environment and establish a risk management baseline for your organization. Identify your critical information assets and use quantitative risk measurements to evaluate threats against them. Analyze information security and risk management across your entire supply chain. Implement foundational IT security services for data availability and proactive monitoring. Be prepared to react not if your infrastructure is breached, but when. Maintain continuous security improvement using a risk management approach. A robust security posture can reduce exposure time, and increase an organization s ability to protect data from internal and external threats. Manage risk and compliance The key to risk management is being proactive ready to handle whatever comes your way. Organizations need deep security expertise so they can understand, manage, and reduce business and security risk. This approach to risk management should include security assessments, legal and regulatory requirements, compliance, and security-related transformation programs. While the natural urge is to increase spending on cyber security, most organizations struggle to find, train, and retain qualified IT security professionals. The fact is, there are often not enough highly skilled security experts to cover the myriad of security technologies and regulatory requirements. Security organizations today need to provide holistic, integrated security across the full IT landscape, from data centers and cloud-based resources, to hybrid environments, and across various devices. The organization should apply knowledge of local, regional, and global legal and regulatory, and threat developments, for a specific enterprise. Extend security capabilities industry companies and retailers should extend security capabilities to reduce risk, cost, and complexity across business units, channels, and supply chains. Your enterprise needs the capability to identify and protect against global threats. And, have the ability to correlate across diverse technology and provider domains. This is especially important to strengthen the security posture of complex, multichannel organizations. You should also move from ad hoc, periodic look-back activities to a continuous monitoring vantage point. 6

7 A strong security management program should include 24x7 monitoring capabilities, rapid detection technologies, and advanced forensic, litigation, and data recovery capabilities. In preparing for an event, mitigation planning, and incident and breach management capabilities with executive participation need to be developed and tested. Responding should be a reflex not a fire drill. Better security management enables your organization to respond appropriately in the event a breach does occur, moving quickly to minimize potential damage and deploy appropriate remediation to prevent further losses. You need to detect intrusions quickly, and block and mitigate the issues as fast as possible to reduce the impact and risk of significant costs, brand damage, and regulatory exposure. Consider a partner In today s high-exposure, risk-averse consumer and retail sector, security can no longer be an IT-level concern. The threats of financial, brand, and legal damages are simply too great. Most organizations now recognize information security as a boardlevel agenda item one that often requires additional support and capabilities of a proven ally. When considering potential enterprise security partners, you should look for providers that offer global scale and decades of experience in advanced security intelligence technologies. They should deliver specialized skills and industry focus, end-to-end security capabilities, and a range of flexible delivery models. Gain benefits from a secure value chain By adopting a lifecycle-based approach to security and risk management, you can realize measurable advantages: Protect brands and reputation by securing information from consumers, business partners, and employees. Foster greater collaboration across global supply chains. Adopt innovative consumer-facing technologies and services. Balance security spending with true business risk. Support uninterrupted business operations, greater resiliency, and smoother change. 7

8 Move forward now is the time Given the sophisticated and unrelenting nature of today s cyber-threat environment, forward- looking organizations now seek a more proactive, lifecycle-based approach to protecting their data, customers, and businesses. A holistic, integrated approach to security and risk management is recommended. This strategy can help you balance the need for security in a more open, direct-toconsumer, omnichannel model. It can also support mobility, data analytics, and other New Style of Business capabilities that you need to incorporate to satisfy today s more demanding consumers. Given the downside realities of cybercrime in costs, legal, and regulatory exposure, and long- lasting brand damage now is the time to secure your consumer and retail value chain. Learn more at security About DXC DXC Technology (NYSE: DXC) is the world s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public sector clients across 70 countries. The company s technology independence, global talent and extensive partner alliance combine to deliver powerful next-generation IT services and solutions. DXC Technology is recognized among the best corporate citizens globally. For more information, visit DXC Technology Company. All rights reserved. DXC_4AA5-3703ENW, March 2017