Hudson’s Bay Data Breach Confirms the Need for Enterprise Risk Management in the Retail Industry
Steven Minsky | April 9, 2018
On Sunday April 1, Retail group Hudson’s Bay disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks Fifth Avenue and Lord & Taylor stores in North America.
As many as 5 million cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year.
Customers, investors, and regulators learned of this breach not through any press release issued by the company itself, but through news of the data available for sale online. This is a poignant proof point for the power of the see-through economy, an age of transparency where news travels far and wide at an incredibly fast pace. Hudson’s Bay couldn’t keep up, and the company’s shares fell more than 6% when the market opened Monday morning.
Data Breaches Are a Risk Management Issue
To make their systems more secure, retailers have been switching to a new form of payment called EMV—Europay Mastercard and Visa, which uses a computer chip in the card to authenticate transactions.
Although Hudson’s Bay said their stores had EMV systems installed by February 2017, hackers were still able to obtain mass amounts of data, which confirms that security is more of a risk management issue than a technology issue.
Gemini Advisory, a New York-based security firm, said the data appears to have been stolen using software that was implanted into the cash register systems at the stores, which siphoned card numbers until last month. Although it’s unclear exactly how the malware was installed in the stores’ checkout systems, Gemini said it was most likely through phishing emails sent to Hudson’s Bay employees.
Employees often go through training or attend yearly seminars that teach them about phishing and ways to recognize a suspicious email. However, this alone is not effective to protect your company. Studies show that only 20% of employees adhere to established policies they’ve been trained on. Companies need to implement enterprise risk management systems to identify the risks that could materialize if a policy isn’t followed and develop effective mitigation strategies to address those risks by monitoring the results.
More and more, the world is recognizing the connection between risk management and cybersecurity. The General Data Privacy Regulation (GDPR) is a new European standard and strict privacy mandate with worldwide enforcement including fines of up to 4% of annual global revenue or €20 Million, whichever is greater. As of May 2018, when this regulation comes into effect, I believe it will be a game changer for all data privacy issues and move corporations to rely more heavily on their enterprise risk management programs.
Tactical Tips to Improve Your Business and Personal Risk Management Program
Scandals like the Hudson’s Bay data breach are 100% preventable. Vulnerabilities are known by front-line employees within the organization for more than 6 months and often for years prior to the scandal, but not by the right level or adjacent business area which can solve the problem. An ERM program supported by ERM software enables employees to identify and escalate the risks they see as subject matter experts to bridge issues across business silos and up through layers of management.
How many risk assessments use a common standard in your organization? The total number of risk assessments of some kind already being done is typically 40% of the total number of worldwide employees. If your organization is tracking less than this number, it means there is a gap that needs to be addressed. If these risk assessments are not standardized or use a common platform, that is the cause of the gap.
The solution is typically not about creating more assessments, but rather about identifying what ad hoc assessments are already taking place, standardizing them, and improving their quality. If they can all be on a common denominator through standardization with a risk register and quantified using standardized evaluation criteria, they can be compared across business silos and linked together to identify the true cause of issues. The other key contribution of an ERM system is then being able to link existing controls to these risks which carry the risk score so that monitoring of controls can be prioritized.
Robotic process automation within ERM systems can then trigger follow-up or escalation tasks, provide transparency across workflows as tasks are moved along from one person to another, and provide reporting and monitoring to generate automated reminders for follow-up tasks
From the description of the breach, this is what was missing from Hudson’s Bay risk management program to prevent password reuse and phishing identity impersonation that allowed the malware to get inside their organization and remain undetected for so long.
Studies show that patching habits can be divided into quarters: 25 percent of people patch within the first week; 25 percent patch within the first month; 25 percent patch after the first month; and 25 percent never apply the patch. The longer the wait, the greater the risk.
Steps to protect against phishing with built-in robotic process automation
1. Risk assess patches, updates, and applications to prioritize monitoring of security policy and patch/update deployment. ERM will provide transparency on which system patches failed and their priority to get them followed up on.
2. Operationalize security policy with business logic that goes beyond password expiration and complexity to include password reuse, identify theft prevention, and access rights in compliance with policies.
3. Assess and monitor the effectiveness of web filters to block malicious websites.
Personally, get educated on what you can do in the midst of identity theft. Although the company released a statement that “those affected will not be liable for fraudulent charges,” this is only true if customers take the required steps to monitor and dispute charges within the time limits allowed. Customers are often typically not protected for identity theft and other consequential damages.
Review your credit card statements carefully each month. You only have protection if you dispute the fraudulent charge within 60 days. You must send a dispute letter within 60 days of the first statement that contained the mistake to the address for billing inquiries. Then the creditor must do an investigation and resolve it within two billing cycles or 90 days, whichever comes first.