White Paper on Corporate IT Data Security at Publix Retail Outlets Authors Shweta Kapadnis (16122942) Charles Ofei () Sebastian () CONTENT Table of Contents Authors.......................................................................................................................................................... 1 CONTENT ................................................................................................................................................... 2 EXECUTIVE SUMMARY ........................................................................................................................ 3 INTRODUCTION....................................................................................................................................... 4 WHERE PUBLIX IS WITH DATA SECURITY .................................................................................... 5 THE EXISTING DATA SYSTEMS, SUCCESSES, OPPRTUNITIES AND RISKS AT PUBLIX .... 6 THE MAIN AREAS OF RISK CURRENTLY INCLUDE..................................................................... 7 STEPS TO REDUCE VULNERABILITY TO DATA SECURITY BREACH .................................... 8 STEPS PUBLIX CAN TAKE .................................................................................................................. 10 CONCLUSION ......................................................................................................................................... 11 REFERENCES .......................................................................................................................................... 12 EXECUTIVE SUMMARY In 2007, TJ Maxx fell victim to a data breach involving the theft of financial information of 94 million customers. The unprecedented scale of this breach brought the importance and vulnerability of Enterprise Information Systems to the public eye. And so began a trend of mainstream digital espionage which has so far affected major companies and organizations like Sony, Heartland, Target, Adobe, EBay, JP Morgan and even the government agencies. Properly managing and securing customer data has become paramount now more than ever. Companies are scrambling to patch digital loopholes and stay ahead of the information technology (IT) arms race. With the internet offering massive amounts of knowledge and tools in increasingly open-source formats, almost anyone anywhere in the world is able to circumvent many old IT security standards. A company like Publix is a prime potential candidate for a data breach or unauthorized access to its data network. With the current systems already in place, it is only a matter of time before malicious data thieves are able to gain access to confidential customer information. This white paper aims to explore the vulnerabilities in Publix’s information systems infrastructure, while providing insights into the trends and severity of these issues. Recommendations regarding the company’s digital security are outlined and explained in detail. These include operational policy changes such as better employee training, overhauled access controls, and better contingency plans in the event or risk of breaches. Other recommendations include infrastructural upgrades such as newer point-of-sale systems, higher network bandwidths, and other ways to improve system maintenance practices. A strong and well-implemented information network is critical in not only keeping business and customer data safe, but also an important requirement of modern business according to strict federal operational laws. INTRODUCTION In January 2007, TJX Companies, Inc., the parent company of T.J. Maxx and Marshalls, announced that it fell subject to one of the biggest consumer data security breaches of all time. After investigation, the company announced that over 94 million Visa and MasterCard accounts were compromised. The scale of the financial effects were so big that the breach is now classified as the third largest security breach of all time. The direct cost of the aftermath reached upwards of $256 billion which far exceed the original estimates by ten times. So what went wrong? First, adequate wireless network security was absent. More specifically, the company used the wireless security protocol called wired equivalent privacy (WEP). The issue with WEP is that the protocol can be so vulnerable to hacking that it does not comply with corporate industry standards. Consequently, company records were accessed by hackers without any detection during an 18month period. Secondly, the data was stored improperly. The company used a point-of-sale (POS) legacy system which did not comply with industry standards as well. The POS system used recorded the card-validation code (CVC) and the personal identification number (PIN) every time a customer made an in-store or online payment. This improper method of storing information resulted in much ease for hackers to collect all the information in one place (Berg, Freeman, & Schneider, Aug. 2008). WHERE PUBLIX IS WITH DATA SECURITY How is this relevant? Well, Publix does not operate much differently from TJ Maxx, therefore, an awareness of the situations that transpired at TJ Maxx and similar companies is beneficial to Publix. Publix Super Markets Inc., is an employee owned supermarket chain based in Lakeland, Florida operating about 1084 stores across six states in the southeastern region of the country. Florida has the most stores with 756 and all other each having less than 100 stores each. Publix is recognized as a top Fortune 100 best company to work for in the U.S, and is the largest private company in Florida. Revenue in 2013 reached over $27.7 billion, with a net income of about $1.5 billion in the same year. The company employs over 167,000 workers nationwide (“Facts and Figures,” 2014). As of this publication, Publix has not had any history or encounters with direct attacks to its I.T. infrastructure. The company has made great strides in acquiring state of the art data security measures, while partnering with some of the industry’s best data security analysts and experts. However, these measures do not completely make Publix invulnerable to data breaches. Information technology is an ever-evolving sector where existing standards are constantly rendered obsolete and newer ones created every day. In 2012, security firm McAfee Security Solutions identified eight million new unique malicious software code distributed worldwide. Consequently, data security software has had to adapt drastically to address each of these threats, while also containing previous existing ones. (“Security Considerations,” 2012). Change has simply been accepted as a constant in the world of I.T. Furthermore, as the industry continues to grow, and more standards and technologies become open-sourced, more people will have easy access and knowledge about digital data technology more than ever before. This poses new challenges in the quest to secure data systems for a company like Publix -- the most obvious being: how to stay ahead of I.T. trends in an environment where change happens often and happens quickly? THE EXISTING DATA SYSTEMS, SUCCESSES, OPPRTUNITIES AND RISKS AT PUBLIX Publix currently has an IT infrastructure which is considered relatively average by industry standards. The digital network at Publix retail outlets can be broadly categorized into Point-ofSale systems, customer data storage, access control, and the underlying private network that binds all these systems together. This is a self-sufficient information loop which also shares data with external networks like the Publix distribution supply network, the internet, as well as the authorization systems used at various third-party merchant and finance institutions. Publix has been very successful keeping in line with state-of-the-art security trends by partnering with top security companies and investing significantly to keep compliance with industry bestpractices. There are, however, areas where Publix can improve and fortify its systems. The company’s retail system is currently concentrated across the American Southeast and accessed by the public constantly. Protection against cyber-attacks, although ever challenging, can be successfully managed if planned well. Fortunately, Publix is still a growing company and currently not as geographically dispersed as some of its competitors. This makes the task of data security, slightly more manageable THE MAIN AREAS OF RISK CURRENTLY INCLUDE Security Patches: Although Publix has the requisite data hardware and software, keeping these systems up-to-date can prove challenging, especially where there are thousands of devices involved across all 1084 Publix store locations. In-store systems go un-updated or unpatched for long periods of time, unlike other Publix enterprise systems. This is because Publix store networks currently have limited connectivity, bandwidth and service models to receive these security updates automatically. Maintenance Hurdles: In order for any information system to run efficiently and securely, it requires regular maintenance by technical system experts who are capable of detecting, diagnosing, and repairing any potential problems. In several of Publix’s remote store locations, maintenance tends to be a real challenge. Typically, issues that require anything more than a simple reboot takes several days to fix as technicians need to travel long distances to these locations to address maintenance issues. Also, at some of these remote store locations, Publix still uses older legacy Point-of-Sale systems older than 7 years, which poses serious risk to the data network. Some vendors of these systems have discontinued support and no longer send important system updates to fix new security threats. Network loopholes: In the Information Technology industry, wireless networks remain a security weak link. There has been good progress made in making wireless networks more secure, but there’s still much that can be done. Intruders with enough sophisticated knowledge are able to break into even the most secure governmental and banking networks. Wireless networks are a security liability which require constant monitoring and management. Publix Stores’ current wireless infrastructure, the WPA (Wi-Fi Protected Access) protocol, which although currently acceptable by mainstream consumer standards, will need further upgrading for added security. The more secure WPA-Enterprise standard is specifically designed for enterprise networks and requires the use of complex integrated authentication servers. This upgrade protects against “brute-force” password hacking and other common malicious attacks. Physical compromise: Another identified risk to Publix’s data network is the level of physical access employees have to the Publix computer hardware and devices. Anyone with physical access to a retail system is able to attach USB drives and other peripherals capable of introducing malicious software into the system. Once these systems get infiltrated by unauthorized software, any data contained within can be downloaded and stolen by unauthorized parties or “hackers”. STEPS TO REDUCE VULNERABILITY TO DATA SECURITY BREACH Train employees on how to deal with sensitive data: Just like a motor vehicle needs periodic oil changes and tire rotations, the IT personnel or external IT experts must periodically assess risks regarding data security breaches. The importance of periodic assessment arises because a minor change in the network infrastructure could possibly expose the system to vulnerabilities. As mentioned before, innovative methods of attacks are invented daily, so what was considered secure yesterday may not be secure today. The most efficient and effective way to accomplish an assessment is through prioritization. Prioritization ensures that best use of the limited and valuable resources are allocated to areas assessed as vital. IT experts should have vast knowledge regarding the relative significance of the diverse sets of applications, systems, data, storage and other communication mechanisms. A system or network architecture, such as a network diagram illustrating the manner by which assets are configured and interrelated should be of immense help when identifying critical areas for resource allocation (see diagram below) (Schmittling, 2010) Another reason why periodic assessments are of uttermost importance is that they can help a business such as Publix comply with government regulations that dictate various security measures. Regulations found under FISMA and the Sarbanes-Oxley all dictate various compliance measures that if not met, penalties and various other direct and indirect costs may result. Provide proper employee training: To ensure employees protect your valued business data, Publix can establish a cyber-safety training program. Most importantly, the company must provide employees with ways for creating strong and distinct passwords. Employees have the tendency to create passwords that are easy to remember but they made must be made aware that actions like these open the doors to cyber attackers to gain easy access to private information. Moreover, to ensure proper restrictions exist for accessing various devices, users should be assigned role-based access and be granted access only to the applications or information they need. Segmenting user and administrator privileges by roles enhances security by minimizing the extent of harm that they can cause — either intentionally or by accident. Furthermore, employees must be educated on certain scams such as phishing which is a type of scam under which cyber-criminals pose as personnel of the company to gain access to sensitive information. Another way to minimize security breaches is to advise every personnel to encrypt every information exchanged. Encrypting information allows only the intended recipient to open a document with a given code. Secure data physically and virtually Physical location of data is another important aspect of protecting against unintended intruders. The first step must first deal with distinguishing between data that is considered sensitive versus data that needs no special security. Once that’s accomplished, all of the restricted data must be physically separated and placed in a secure facility. Oracle can provide systems that can only be accessed by authorized personnel. Upon the event that the system is tempered with, immediate notification will be sent to the information technology department. A system that prompts and validates a combination of a user identification and fingerprint (or facial) identification is recommended. As recently stated, the determination of what information is important must be made. All information and data that is not considered necessary must be disposed of. Our advice to all businesses if that the less information you have around, the less vulnerable you are to theft of data. Businesses should only collect those pieces of data that are really needed. Don't put your customers and business at risk by storing credit card numbers that are not needed. And never prompt customers use their Social Security number as an identifier. Virtual protection can be accomplished by helping you implement a highly secured virtual private network (VPN). VPNs are highly suggested when exchanging information among different offices or stores located in different areas of the country. As the name suggests, a VPN allows access to a private network only to devices that are granted access through prompted credentials. VPNs can highly secure your computer's internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured from unwanted users. STEPS PUBLIX CAN TAKE CONCLUSION As it can be seen on the graph above, hacking and malware threats have grown and continue to grow at an immense speed. On average, a data security breach costs companies about $200 per customer security breach. This figure mostly constitutes legal defense and settling costs (“2011 Cost of Data,” 2011). For a retailer such as Publix, claims from a data breach can come from diverse parties such as customers, lenders, and suppliers. Aside from the direct costs, companies can adversely suffer other indirect financial and nonfinancial effects. One of the biggest and destructive side effects is the manner by which public relations can negatively be affected. Once consumers, investors, lenders, and other interested parties become aware of a certain data breach, they may subsequently limit their business with the particular company affected. For these reasons, companies like Publix must ensure that they comply with current regulatory standards and go beyond to protect themselves from any cyber threat. Added security most certainly involves additional costs as recently discussed but rational managers should be able to comprehend that the benefit received from added security almost always outweigh the initial associated costs in the long term. For this reason, it is highly advisable that a business such as Publix needs to invest in the implementation of various security functions. First, there need to periodic assessments of security risks. To accurately assess risk, IT personnel must identify the sectors of IT that are most valuable to the organization and direct the needed resources to such segments. Without the elevation regarding the relevance of the various types of data in the organization, it could nearly be impossible to prioritize and allocate technology resources where they are urgently needed the most. Second, there needs to be physical and virtual protection from all unwanted intruders. Data storage repositories, such as database management systems must be properly secured and the organization must ensure that all malware protection software need to be up-to-date and secure. Finally, employees must receive in-depth training regarding the proper handling of physical assets, such as hardware devices used in the data center and communication components or peripherals (e.g., PDAs, laptops, and desktops). In summary, businesses should scrutinize and be highly aware of what information they possess and implement enough security to protect themselves and avoid becoming victims of security data breach. REFERENCES 2011 Cost of Data Breach Study: United States. (2014, Nov. 17). Ponemon Institute. Retrieved from http://www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf Berg, G., Freeman, S., & Schneider K. (2014, Nov. 17). Analyzing the TJ Maxx Data Security Fiasco. The CPA Journal. Retrieved from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm Facts and Figures. (2014, Nov. 17). Publix.com. Retrieved from http://corporate.publix. com/about-publix/company-overview/facts-figures Schmittling, R. & Munns, A. (2014, Nov.17). Performing a Security Risk Assessment. ISACA. Retrieved from http://www.isaca.org/Journal/Past-Issues/2010/Volume-1/Pages/ Performing-a-SecurityRisk-Assessment1.aspx Security Considerations for Retail System OEMS. (2014, Nov. 17). McAfee.com. Retrieved from http://www.mcafee.com/us/resources/solution-briefs/sb-intel-retail-system-oems.pdf IMAGE References: Schmittling, R. & Munns, A (Illustrators) . (2010). Figure 1-Risk Map [Illustrative Chart]. Retrieved Nov. 17, 2008, from: http://www.isaca.org/Journal/Past-Issues/2010/Volume-1/Pages/Performing-a-SecurityRisk-Assessment1.aspx Security Solutions for the Retail Industry [Illustration]. (2012). Retrieved Nov. 17, 2014, from: http://www.mcafee.com/us/resources/solution-briefs/sb-intel-retail-system-oems.pdf The Digital Threat [Illustration]. (Sep. 30, 2014). Retrieved Nov. 17, 2014, from : http://theheartofbigbrother.wordpress.com/2014/09/30/part-3-the-digital-threat-cyberwarfare/