Dichotomy

 

As we approach retail’s favorite season, I have the unique perspective of being concerned about information security as both the Chief Information Security Officer (CISO) for a commerce software company and as a customer to a plethora of retailers — some who are clients and others who are not. In effect, I’m wearing two hats through the year; one as shopper (think, Kris Kringle) and another as CISO (think, cop).

As I wear both of my hats during the year, but more so during the holidays, it’s  safe to assume that I have well-defined notions about the information security implications of my holiday experiences.

I’ll begin with “we the shopper.”  The hunt for deals and the frenzy to find that “something” special. The clamor of crowds and the seasonal spirit moving us as we drive all over town. Some of us avoid crowds and start off using the Internet, while others head straight to the mall unleashing the power of smartphones and social media to discover those deals and seizing acquisitions with a warrior’s vengeance.

I’ve asked myself — and I hope you do, too — the question about mobile security. Is mobile shopping safe? I’ve suggested for some time now that mobile security is far better than PC security for some very basic reasons. First, mobile operating systems like Android and Apple’s have been built very recently from the ground up with security in mind. There is no legacy software here unlike the PCs we use more frequently.

Another issue is in the plethora of devices that run with many different versions, making it a more difficult target for hackers to focus on. Supporting my position is a recent industry survey conducted by the security software company, McAfee, which revealed that there are nearly 7,000 percent more security threats by using a PC than a mobile device. Now you can make those odds even better by installing some respectable security software on your mobile devices and updating your devices software frequently.

Another “we the shopper” situation more uniquely tied to the holidays is whether or not there are more security threats facing us in general. I’d unequivocally answer yes to that question!

Think for a moment and ask yourself, do I tend to do impulse shopping at all? The holiday hubbub encourages us to join the frenzy, doesn’t it? The unfortunate problem is that we sometimes lower our guard and shop with retailers with no concern to your safety and security – that’s right, zero. These retailers could be described as the low-lying fruit for hackers in the retail space. These are companies that are not working with security experts to keep their customers safe. These are the companies that don’t take payment card industry data security standards (PCI DSS) seriously and avoid the recommendations of qualified security assessors. When in doubt, just ask the store manager or email the corporation’s headquarters. I have and it is truly a scary, eye-opening revelation.

This leads me to important steps a retailer can take to ensure overall security, especially during peak periods. First thing is that being proactive about security instead of reactive is paramount. Any retailer that is not conducting ongoing risk assessments and ongoing security assessments throughout the year isn’t taking security seriously. If they are only focused on the holidays, they are playing roulette with their customers, their brand and their solvency. With thousands of breaches occurring every year, what are the odds it will happen to them?

An aspect of a retailer’s experience that is very much the hot topic these days is whether a retailer’s store that resides in the cloud or with a hosting provider is more or less secure. Fundamentally there is no difference in the technology used. The point of differentiation is really contractual, or the lack thereof in my experiences!

Virtually all cloud companies out there have generic hosting contracts that prevent users from conducting proper security assessments, making it impossible for a company to achieve PCI compliance. Ask your cloud provider about this and brace yourself for a shock. There are huge risks to cloud computing unless you work with a service provider that offers a fully PCI-certified hosting solution. Trust me on this one — not all cloud providers are created equally.

I’ve shared with you some of the questions and a few answers that I consider when wearing my two holiday hats. If you have questions about your security during the year as we approach the holidays, just send them to me. I’m happy to share both perspectives with you.