Retail must look beyond compliance for true security

While the bare minimum is often an acceptable standard in many practices, it cannot be said as such for digital security. There are growing volumes of data that inhabit cyberspace and an exponential increase in the number and severity of corresponding threats.

“It seems a new vulnerability is disclosed every other day in this brave new IP-centric world, with reports of refrigerators acting as spambots, insulin pumps susceptible to wireless hacks, and easily-compromised smart meters,” wrote InformationWeek contributor Michele Chubirka. “At the same time, there’s the BYOD Bogeyman banging on enterprise IT’s door, with users muddying networks with their personal devices.”

This has been a especially harsh reality to deal with in the retail sector. From the massive breach that occurred late last year through Target’s POS systems to the more-recent instance of data loss at P.F. Chang’s, those organizations that deal heavily with customer payment information have an incredible responsibility laid out before them. Failing to go above and beyond when it comes to cybersecurity could leave many companies hurting in the long run.

Compliance alone is not enough
While many retailers might feel safe in the knowledge that their security efforts meet industry requirements, it is somewhat of a false confidence to enjoy. Target, for example, was found to be PCI compliant roughly a year before the breach that compromised the card information for up to 70 millions customers, and even then the examination noted that there were areas of concern in Target’s system.

“Compliance does not equal security,” said Payment Card Industry Security Standards Council general manager Bob Russo to the Information Security Media Group. “Even with the best standards in place, these criminals are persistent in their attacks … and businesses basically have to be defensive in their protections.”

Companies have long been able to set themselves apart by going above and beyond. In today’s security-obsessed culture, this may mean finding success by not stopping with the bare minimum of security compliance and instead pushing for the most advanced protections possible. Finding a singular product to accomplish this, however, is not going to be possible. In order to obtain a truly effective means of defense, layered security – the act of applying several different flavors of protection to any given system – is the only all-encompassing way to guard against data loss.