A new report showed that point-of-sale malware isn't the only risk for retail companies this year, because many...
temporary workers use shared credentials, and organizations can't track what employees do on company networks.
The Pre-Holiday Retail Risk Report, produced by Bay Dynamics and Osterman Research Inc., found that despite these bad practices, the majority of retailers rated themselves highly capable in terms of identifying critical assets that must be protected, detecting theft or data leakage and controlling employee access to critical assets.
The survey was conducted in November 2015 by Osterman Research. IT decision makers for 125 large retailers were polled, and, in total, the retailers that were surveyed employ 2.74 million people, which Osterman said represents "roughly 18% of the total number of retail workers in the United States."
Those surveyed were very confident that their organizations were proactive in regards to security. Most rated their companies as proactive or very proactive in terms of detecting theft or data leakage (86%), identifying important data (86%), controlling employee access to critical assets (81%) and providing security training (71%).
However, Ryan Stolte, co-founder and CTO of San Francisco-based Bay Dynamics, said this confidence was misplaced, because organizations were measuring themselves against outdated security standards.
"The respondents, by and large, thought they were doing a great job of securing customer data and securing their organizations," Stolte said. "Eighty-one percent or more gave themselves a rating of at least six out of seven with how good they were doing. But, at the same time, it looks like they're measuring themselves against yesterday's standards ... against pre-Target breach standards."
This meant that many employees were using shared credentials to access networks. The survey found that 61% of temporary workers, and even 21% of permanent employees, did not have unique login credentials.
Michael Osterman, president of Osterman Research, noted that without unique credentials, it is impossible to know exactly what each employee is doing on the network.
"The use of login credentials by multiple employees makes it virtually impossible to determine who has logged into a system and when they did so, since the login could have been from any employee who has access to the common set of credentials," Osterman said. "Consequently, if an employee were to commit fraud, such as logging in to 'return' an item that a friend had simply shoplifted, there would be no way for a store to determine who was responsible for the fraud."
Even so, 50% of survey respondents claimed they "know everything" temporary workers are doing on corporate networks, and 62% know everything that permanent employees are doing. Additionally, 63% said they could identify which systems each temporary worker accessed, and 92% could identify what each permanent employee accessed.
These issues with access management become more troubling, according to Stolte, when considering what types of data permanent employees can access. The survey showed 54% of permanent employees had access to customer databases that did not include transaction data, while 31% had access to corporate email and 30% had access to databases containing customer-transaction data.
"The pervasive theme is that they create shared accounts, and they don't really know what these people are logging in to or what they are accessing," Stolte said. "There's a lot that can go bad. They seem to be feeling good about how secure they are, but they're measuring themselves against the standard which encourages ease of selling stuff."
Osterman said the use of shared accounts had another risk beyond the inability to accurately record who logged in and what they did.
"The second problem associated with shared login credentials is that ex-employees maintain access to corporate systems long after they have left the company," Osterman said. "While this might not be much of a problem for a point-of-sale system at which an ex-employee must be physically present to log in, it can be a problem for back-end databases that contain customer data, corporate email and other systems that contain sensitive information."
Osterman said the simplest way to mitigate any of these risks is to provide unique login credentials for each employee.
"This allows IT to do a number of things: Determine who logs in, when they do so and what they do online; it allows IT to enforce password-change policies, such as forcing employees to create a new password every three months; and it allows login credentials to be cancelled immediately for employees who leave the company," Osterman said. "Also, unique login credentials allow differing levels of access control for different employees."
Once unique credentials are offered to all employees, Osterman said organizations need to improve visibility by implementing technologies that can monitor activity and separate potentially risky behavior.
"For example, a retail floor manager who accesses a single customer's purchase record at 11 a.m. on a Tuesday morning is probably dealing with a bona fide customer service issue. An employee who downloads files containing large amounts of sensitive customer information at 3 a.m. on a Sunday morning is probably doing something they shouldn't," Osterman said. "A monitoring system should be implemented to catch this type of behavior and take appropriate actions, such as alerting someone on the IT security team [and] locking out the employee until their access can be properly vetted."