NGA Dispatch: Cyber Security Imposes Vexing Challenges

Leon Panetta at NGA
Leon Panetta at NGA (VSN photo)

“THERE IS PROBABLY NO ISSUE more important today than cyber security,” said Peter Larkin, President and CEO of the National Grocers Association, in his remarks at the opening session of the annual NGA Show in Las Vegas, this week.

True to his word, the event’s educational program included three breakout sessions and one general session devoted to various facets of cyber security – from safeguarding POS and mobile payments; to protecting proprietary customer data; to defending the enterprise against malicious attacks; to whether insurance can offer useful protection.

Keynote speaker Leon Panetta, the former Secretary of Defense and Director of the CIA, said in response to an audience question that he could foresee the possibility of a “cyber Pearl Harbor” assault on American institutions and infrastructure. The siege is already well under way: The CIA was turning back some 100,000 cyber-attacks per day during his tenure from 2009-2011, he said. The pace has certainly accelerated since that time.

Soft Targets?
Panetta and several other speakers made reference to the recent breach at health insurer Anthem Inc., which resulted in exposure of some 80 million patient and employee records. Others invoked the recent Sony Pictures Entertainment  hack and the infamous credit card breaches at Target Stores and Home Depot.

For the much smaller NGA member companies, mostly independent operators with from one to fifty supermarkets, the threat is neither remote nor abstract. Grocers accumulate a great deal of customer and transaction data and they may be regarded as softer targets by hackers. When a retail store is identified as a “common point of origin” for credit card fraud by the FBI or the U.S. Secret service, the consequences can be swift and severe.

“In 2014 we had a breach,” said Ray Sprinkle, President and CEO of URM Stores, Inc., Spokane, WA based co-op wholesaler serving about 160 stores, who was a panelist in the general session. “I do not want a second one.”

Approximately 67 stores in Washington and Montana were affected in the URM incident, which came to light when several area credit unions spotted fraudulent charges in November 2014. “We announced it right away, and told our customers not to use their cards in our stores,” said Sprinkle. “We were crucified in the media, but ultimately our customers rewarded us.”

Prepared Response
Another panelist, Paul Doty, IT Director for Sendicks Food Markets, which operates a dozen stores in Wisconsin, said, “As independent grocers, data security is not our core competency, nor should it be.”

Retailers can take several important lessons from observing the responses of other companies that have suffered breaches. Preparing and maintaining a “cyber-disaster plan” is a necessity in a world where hacks are a virtual certainty.

“It begins with tracking everything,” said Doty in response to an audience question. “This helps you to document losses and also provides evidence of prior compliance with security practices.”

He added, “You also must decide how you will communicate news of a breach to your customers.”

Other elements of a plan may include pre-assigning response roles to key associates and identifying legal counsel and a public relations firm. All these steps are much more difficult to accomplish under the pressure of a cyber-crisis.

Several speakers affirmed that the likelihood of a data breach is more a matter of “when” than “if”.

One ongoing concern, said Sprinkle of URM, is the likelihood of an unknowing mistake by an employee that enables a cyber-intruder. “All it takes is a click on the wrong email or link.”

Such “phishing” exploits can be astonishingly effective, said Paul Kleinschnitz, SVP and General Manager, Cyber Security Solutions for FirstData, “It’s very easy for the criminals to make money. It’s unfair how easy.”

⇒ Next: Will “Chip and Pin” Cards Save The Day?

© Copyright 2015 James Tenser

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.