In recent weeks, both Kmart and Staples have been victims of credit card hacking. This isn't the first time a major retailer has been attacked in such a way: According to the New York Times, Kmart and Staples have joined the ranks of Target, Home Depot, Sally Beauty Supply, the United Parcel Service, Dairy Queen and countless other retail stores and restaurants that "have had their in-store payment systems compromised with malware over the last year."
There's no question that the frequency and scale of these attacks is unsettling, but what's more alarming is the fact that these major retailers are admittedly vulnerable to them. A Ponemon Institute study found that "53% of respondents say they believe SQL injection was one element of these high-profile breaches." What's more, only 48 percent of study respondents say they test or validate third-party software to protect from SQL injection.
It goes without saying that the prevalence of vulnerable retailer databases is frightening for consumers and CISOs alike. But what does all this reputation damage and vulnerability suggest? For consumers, well, before you pull your money out of the bank and start burying gold bullion in your backyard, take a moment. This doesn't mean you can't continue to make purchases on your credit or debit cards. For those whose information has not yet been compromised, it means taking a proactive approach to your own security — one that includes monitoring your financial information closely and using smart passwords. If you believe your credit card information has been affected by these hacks, it means starting with a few reactive steps, such as requesting a replacement card and freezing your credit.
For CISOs, though, it means just being aware of your organization's vulnerable points isn't enough. Software with SQL injection flaws make your databases vulnerable. If you're not constantly scanning for vulnerabilities, you might as well not be checking at all. It's time to take a proactive approach to security — for the sake of your customers and organization alike.
For as long as there have been gates, virtual or otherwise, there have been people working to bypass them. So, if you can't stop the hackers from hacking, what can you do to protect your organization? The task of constantly monitoring enormous databases and the software that accesses them while remaining informed about the latest security threats and running the standard suite of antivirus programs might sound daunting — but the results will far outweigh the effort. And, with a little extra rigor added at the beginning of any vendor relationship or piece of software developed (that is, by implementing a security-minded workplace), maintaining an updated, secure environment will get much easier. Combine it with an awareness of any current threats, and you'll find security almost pays for itself.
There's no longer an excuse to be vulnerable. CISOs should investigate solutions that continuously inventory applications, monitor database activity and examine all third-party interactions — steps that would prevent most of the rampant credit card hacking of late. Many such solutions require less money, resources and time in the long run than ever before, which makes joining the 33 percent of organizations that stay on top of their security a total no-brainer.
So before your organization finds itself in the harsh spotlight of a data breach — or, for consumers, before you start burying your bullion — get proactive. With a focus on security, you're sure to save yourself (and your crisis-management team) some serious headaches.
Photo Source: Flickr