Holiday temps gain access to systems, merchandise and sensitive information. Here is how retailers can mitigate the risks posed by these temporary workers.

Michael Addo-Yobo, managing principal, Cyber Risk Advisory, Coalfire

Michael Addo-Yobo, managing principal, Cyber Risk Advisory, Coalfire

When retailers ramp up for the holidays they add not only appealing new merchandise but also scores or more of contingent workers to meet the needs of bustling holiday shoppers. But, how well do these retailers really understand the security risks that could be inherited with the rapid and significant staff augmentation?

For many retailers, these temporary staff additions aren’t trivial: For example, Amazon announced plans to nearly double its fulfillment center workforce with 120,000 contingent staff; Macy’s added 80,000; Target, 100,000; JC Penney, 40,000. Added contingent staff will be granted access to systems, merchandise, full-time staff, and potentially sensitive information, which could potentially increase overall security and compliance risks. Let’s review some of the scenarios leading to these risks and share insights on actions retailers can take to mitigate them.

The Potential for Insider Threat

Insider threats are difficult to detect, come in different shapes and forms, and can be intentional or unintentional. Employee and contingent staff alike may consciously or subconsciously act on opportunities to use data without careful thought and planning, and sometimes act deliberately for personal gain. Disgruntled employees may steal information, leak it online, or even damage corporate data assets as payback for perceived injustice.

advertisement
No security program can mitigate every risk, so setting a tolerance level for risk is an important step in a security program.

Corporate espionage is also a growing problem; even honest employees or contingent staff could potentially be enticed by a deal to leak/steal information they would be hard pressed to refuse. Employees or contingent staff may want to start their own competing businesses and decide to get ahead by gathering and using enterprise data. These are all examples of insider threat opportunities that retail enterprises may have to contend with. The hiring of large numbers of contingent staff could potentially exacerbate the insider threat problem for retail enterprises, and thus, the real challenge for retailers is working to mitigate these insider threat-related risks to acceptable levels.

Contingent Worker Security Risks

According to Fortune Magazine employee theft is the number one insider threat activity in the U.S. retail industry: Missing goods from shoplifting and other causes cost U.S. retailers about $42 billion a year, according to the publication. Employees and contingent workers introduce increasing risk, as they can leverage the checkout process for financial gain. For example, they can manipulate a transaction to benefit themselves or someone else by entering illegitimate refunds, discounts, or voided transactions into a cash register. They can also cancel transactions, modify prices, or say someone used a coupon when they didn’t, pocketing the extra cash. Credit card thefts are also quite common, especially when they are written down on a piece of paper for future entry. Some employees or contingent staff have also been reported as having memorized customer credits card numbers.

Retail enterprises are challenged to minimize opportunities for exploitation of insider threats within their retail outlets. The best chance to reduce risk is evolving the maturity, operating effectiveness, and governance of security controls, making it much more difficult for bad actors to exploit these insider threats.

advertisement

Setting Tolerable Levels of Risk

The level of tolerable risk in a retail organization equates to how much financial and non-financial effects the enterprise is willing to tolerate. No security program can mitigate every risk, so setting a tolerance level for risk is an important step in a security program. Many retail enterprises lack a properly executed business impact analysis that clearly quantifies or qualifies impacts to the point where intolerable loss can be defined. Some retail enterprises compensate for this limitation by passing some of the risks on to consumers, who then must pay more for goods—retailers use this tactic to offset losses. While customers “suffer” unduly in this situation, this risk transfer tactic does not entirely reduce the impacts that could result from exploited insider threats.

For example, a major security breach that exposes customer credit card and transaction data leads to brand and reputational damage, as well as customer and regulatory impacts that may not necessarily be offset by merchandise price increases. According to a Ponemom/IBM survey, the annual average cost per company of successful cybersecurity attacks in the retail industry was $8.6 million—and this number is expected to rise over the next three years. Furthermore, major security breaches can also effect ongoing business operations and thus revenue.

A formal business impact analysis exercise that assesses the financial and non-financial impacts of insider and other types of threats is a legitimate approach to defining the intersection between tolerable and intolerable impacts, so that risk thresholds for retail organizations can be set. A formal business impact analysis also helps to determine effective strategies and actions required to mitigate these risks.

advertisement

How Companies Can Manage the Threat Posed by Contingent Staff

Other than conducting background screens, human resource security is an often overlooked component of enterprise security management. For many retail enterprises, once an employee or contingent staff is hired, there is plenty of trust and very little verification of appropriate security activities and behavior.

Human resource security management and control activities should prevail before, during, and following the engagement period of an employee or contingent staff to mitigate insider threats. Pre-hire background checks are common, but often are not stringent enough. Once an employee or contingent staff is hired, it is important to ensure proper allocation of security access rights and privileges based on job role and the sensitivity of information that ties to the role. Upon change of role, it is also important to promptly review and modify access rights and privileges to align with the employee or contingent staff member’s new role. Upon termination, all access rights and privileges must be fully and immediately revoked.

Employee and contingent staff security education is also essential to teach them to avoid being the victim of social engineering and other security errors. These avenues provide the best chance for retail organizations to detect insider threats and take prompt corrective actions, gain visibility into employee or contingent work activities and behaviors from a security perspective, and reduce insider threat risks.

advertisement

Coalfire provides cybersecurity risk management and compliance services.

Favorite