BigPill Drug stores began in 1960 and grew to 35 stores by 1990. The company had more than 100 stores in 2000. It is now a publicly traded company, with $63 billion a year in sales, a customer base of 20 million and 3,600 stores in 28 states. Big Pill's annual profits are $3.3 billion and stock currently trading at $6.75 a share.
The company became a major player in retail pharmacies. Their story was even required reading for Harvard MBAs. Then, it happened. A massive cyber attack on the company's servers exposed customers' credit card information and insurance data.
BigPill headquarters thought they did everything right, they thought they were secure. But they weren't. They outsourced IT Security instead of creating a secure data room, monitored 24/7. They had a Chief Security Officer but this person lacked the knowledge of all the points of entry to BigPill's systems, not to mention the particularly vulnerable ones. Why? Because they hired someone who had worked in the IT department, rather than hire someone with cyber security experience. Sure, they had multi-step authentication for all point of sales systems. But the person in charge of protecting and monitoring company data simply did not understand the threats.
BigPill didn't even know the breach occurred until a year later - then they waited another four months before announcing it to the public. Why? They didn't fully know the extent of the breach until it was too late to stop the hemorrhaging.
If you've never heard of BigPill, you're not alone. It's a fictitious organization. But the scary truth is, cyber attacks like this are real and they're about to get worse - much, much worse.
So if you're CEO of $4 billion a year company, the question you should be asking yourself is, can you afford to lose $2 billion in sales and jeopardize the company's future? Because when a breach happens and it will happen, several things will occur:
1. Your company will lose present and future customers, as they will no longer trust your organization to secure their financial data.
2. Your company will suffer reputational losses as a result.
3. The cost of cleanup will far exceed the cost to mitigate the attack in the first place ($140 million in Target's case).
4. Weaker sales will lead to store closures and the entire c-suite and management will be affected along with salaries, bonuses, stock options and stock prices.
Bottom line - if you're the head of a large private bank or small retail store, your data is equally vulnerable to attacks by rogue hackers, hostile governments, terrorist groups or disgruntled employees.
But if you're still convinced your company is impenetrable to attack, consider that banks may soon hold retailers financially responsible for placing them and their customers in financial jeopardy.
Dr. Stephen P. Bucci is the Director of the Allison Center for Foreign and National Security Policy Studies. He is also Senior Fellow at the Heritage Foundation for all issues involving Homeland Security and Defense. Bucci, speaking to attendees at the 2014 NACDS Total Expo in Boston, warns, if you're not doing something to lock your data down, your company is a target. "If the leaders in companies do not seek to understand the cyber threats and challenges, and then work to address them, their businesses will suffer. Cyber security is a leadership issue now!"
This past January, the FBI issued a report warning U.S. retailers to expect more cyber attacks and detailed just how vulnerable the $5 trillion industry is to cyber data theft. Data theft is considered the number one threat to U.S. retailers.
"Payment data stored on all retail IT systems is hacker friendly. The objective is to close as many loopholes in the systems as possible. Michaels, Neiman Marcus, Home Depot, P.F. Changs and Target are vivid examples of hacker exploitation. No entity is bullet proof against the onslaught of cybercriminals," says Tom Malatesta, CEO of mobile security data company Ziklag Systems.
But closing the loopholes can be a challenge, as most merchants' POS platforms are still operating on out of date Windows XP software. Software updates and malware prevention is not enough to stop sophisticated hackers.
Mark Tanner is co-chair of the FBI's Infragard Cyber Security Special Interest Group (Cyber SIG) and former Director of the FBI's Foreign Terrorist Tracking Task Force. Tanner, tells the NADCS Total Expo, companies must assess and continually test their systems. "Cyber threats are constantly evolving and increasingly complex. When most companies find their security has been breached, they find it occurred more than a year ago. Defense-in-depth strategies need to be employed to minimize damage and mitigate risk."
Point of sales systems aren't the only vulnerability says Paul Calatayud, SureScripts Chief Information Security Officer. Data transfer and cloud storage are also hacker access points. "A holistic security strategy is built on the understanding of where your critical data lives: both at rest and in transit."