When the news came that Asda and Sainsbury’s are planning to merge, questions continued to be raised on how retailers are dealing with merging IT systems that are potentially fraught with extensive risks. From the consolidation of network policies in an acquisition, to the mistrust of employees and third parties, how exactly should security teams address the issues at hand?
Mergers represent new uphill battles into unfamiliar territory while employees get to grips with completely new systems and often disparate company cultures. For example, when it comes to systems integration, these differences can be a ticking time bomb – if a smaller independent creative retailer merges with a larger process-orientated retailer, there are likely to be clashes. While employees will try their hardest to get to grips with a new system, it’s no surprise that 58% of retail companies are concerned about the unintentional mishandling of sensitive data by an employee, and while they might be trying their hardest, there are some clear bad practices that are being undertaken in the retail industry.
In a desperate bid to make it work, or to find a quick workaround, 58% of employees will tell each other their passwords, as found in BeyondTrust’s most recent Privileged Access Threat Report. Even more alarming is the unrest that may occur with the onset of a merger; it’s not rare for mergers to encompass job losses in their bid to make profit, and as businesses undergo these changes, 61% of the retail sector is concerned about sabotage by a former employer who has access to sensitive data.
Employees are an inevitable core component of any business and it’s impossible to just deny them access to an organization’s network to mitigate risks. BeyondTrust’s report found that 67% of retailers believe an insider data breach is the biggest threat they’re facing in terms of network security, and they’re not wrong to think this either. In fact, a worrying 60% of retail firms have possibly or definitely suffered an insider related breach in the last year alone and half of breaches can be directly or indirectly attributed to an employee accessing the system, signifying just how much harm a trusted employee can cause.
Despite this and, even though security professionals in the retail sector have admitted their concern about unintentional and intentional handling of data by employees, action has ceased to follow this recognition. With such an influx of people sharing sensitive data, a more viable and robust solution is needed to counteract the security risks that threaten companies, whilst also ensuring productivity across the business is not hindered.
Retail companies have no other choice but to get prepared. An organization’s insiders, such as IT administrators and service desk technicians, would benefit from privileged access to support users and systems during a tumultuous time, and only provide access to data where it’s needed. However, such access is often granted in uncontrollable and untraceable ways making the organization more vulnerable to attacks. Privileged accounts and passwords are prime targets to cyber-criminals because they allow hackers to utilize legitimate credentials with elevated permissions to access other areas of the network. If credentials are stolen or compromised cyber-criminals can move laterally across networks, expanding the damage beyond the initial breach. Retailers need privileged access management (PAM) solutions that allow for greater visibility of possible malicious activity to help safeguard their most critical systems, accounts and credentials.
With this in mind, it is necessary to consider the user experience does not hinder productivity and simple day-to-day tasks just for the sake of security to free up resources in the IT team. Technology is one part of the solution, but people and processes support this too and employees need to be trained to understand and enforce the necessary procedures to help protect the business from cyber-threats.
Balancing the needs of the business against the needs of those accessing network systems is just one of the many challenges companies face. Even being secure internally is not enough as last year’s Fortnum & Mason breach showed. After being tied to a third-party breach which resulted in the data theft of 23,000 customers, it was a stark reminder that retailers can never be too safe. Employee and vendor access needs to be controlled comprehensively by monitoring behavior, creating audit trails and implementing a solution of greater visibility. Only once access is secured can organizations fully embrace the advantages of the consolidation of network policies and hiring of new talent in
the age of mergers and acquisition.