Lessons We Should Have Learned From the Zappos Data Breach
By Matt McKinley
It’s been months since Zappos.com
experienced a massive data breach, and the retail industry received a lesson in the speed of information. Within minutes of the breach notification to 24 million customers, the industry was scrutinizing Zappos’ response to the incident. Within days, a class-action lawsuit was filed.
The "lesson learned" for retailers couldn't have been articulated more clearly: You may be next. Have a plan.
Data breaches will happen, and major retailers have a target on their backs. However, a level of desensitization is occurring in IT as it relates to information and network security. As data breaches become more prevalent, retailers are wondering why their security investments aren’t getting the job done. On the flip side, recent studies show that the average cost of a data breach is actually down as customers have become more tolerant of these incidents.
Breaches despite strong security investments. Customers staying loyal even when data is breached. Sounds like a scary recipe for network security apathy, doesn’t it?
Retailers would be wise to do more than be prepared for the next attack. Many would be well served to revisit the basics of network security. It’s alarming how many data breaches occur not because of the sophistication of the attack, but because one or more rudimentary security measures weren’t properly. These include:
· Two-factor authentication: Having a simple password to protect user information is insufficient. Implementing two-factor authentication means greater protection for customers and, fortunately, doesn’t have to be a complicated endeavor. Two-factor authentication can take many forms. While some argue over the true meaning of two-factor authentication, there is nothing that says it can’t be two different authentication mechanisms of the same type. Any additional information, even in the form of things customers know, is better than a single password.
· Non-disruptive, proper network segmentation: Of all the strategies that can be employed to prevent a breach, there is none simpler than obscuring the path to the riches. The parts of the network that contain the most sensitive information should not be easy to reach. At each critical junction in the network security plan, there should be physical and logical controls to make the task of reaching sensitive information difficult. This simple step can provide a bastion between you and a breach.
· Contextual awareness: Making security decisions is difficult with the limited information that has traditionally been available to security devices. Thankfully, next generation security capabilities are arming retailers with contextually aware information such as time, data, user, application and location. This insight enables retailers to make smarter decisions on how to grant access to their most critical resources. Having these capabilities as part of your security arsenal is highly recommended.
Large-scale breaches will continue to occur and, as the Zappos’ breach proved, being prepared to deal with one will continue to be a priority. As such, retailers must be diligent in improving all aspects of network security – from the very basic tenets to advanced protection to a post-breach plan.
Matt McKinley is the US Director of Product Management for Stonesoft, a provider of integrated network security solutions to secure the inform