Believe it or not, that’s one of the key takeaways from a session we recently led at the Retail Hospitality Information Sharing and Analysis Center’s annual Cyber Intelligence Summit. Yes, phishing, ransomware and other issues were cited as major concerns, but as external threats. Internally, word was that "the business" was seen as a primary adversary—an actual threat to cybersecurity.
We weren’t totally surprised, but the candor we heard was impressive. This was the kind of thing you don’t read about in threat intelligence reports. And that’s not all. Other cybersecurity "adversaries" cited during our session were vendors, employees and developers.
So, is this security people complaining about lack of budget and support, or is there more to it? We have some thoughts about that, and would love to hear yours, but first … let’s back up and provide some context.
The session we led included more than 30 security executives and analysts from leading retail and hospitality organizations. It focused on major threats and risks to security and on securing those businesses’ value chains. Much of the discussion touched on the points in our Retail and Hospitality Threat Trend Report. Participants ranged from analysts in a SOC to directors and security executives.
The value of this approach was hearing “from the horse’s mouth” the threats members face every day. Having said this, we need to recognize that the feedback was impromptu. It came up in brainstorming fashion rather than from formal research. Still, it was fascinating to hear such frank and unusual discussion.
Threat actors, in no particular order
The threat actors the group listed were interesting in the sense that they departed from most threat intelligence reports. Instead of being focused on well-known cybercrime groups or nation-state actors, what we learned was the people running security programs are most concerned about the following security “adversaries:”
- The "business"
- Cyber crime
Though the list above isn’t prioritized, it was clear that most of the people who participated felt they were fighting the business more than any external adversary. That’s counter-intuitive, and speaks volumes, so let’s say it again: Business stakeholders and executives are often viewed in adversarial terms rather than as collaborators or partners in the security mission. Why? Well, security personnel often feel that the needs or initiatives of the business are at odds with their security mission. For example, new initiatives in mobile, e-commerce and the IoT create more IT estate that needs to be secured. Employment of seasonal workers, VPN access to remote workers and third-party suppliers are all were viewed as significant security threats as well.
Keep in mind that IT departments also came up as an adversary. The context is that getting IT (infrastructure management) to patch and remediate vulnerabilities continues to be a persistent challenge as business needs almost always trump security.
In fairness, we know money and resources are limited. So is talent, though there are efficient ways around that. Clearly, the business can’t give everybody everything they want. We get that. And we’re only serving as the messengers here, so don’t condemn us too quickly. Still, what we heard was concerning.
Take vendors, for example. Certainly, being concerned about how partners can affect cybersecurity isn’t new. Vendors need access to corporate systems, which can introduce significant risks. But the concern we heard, about how vendors are seen as potentially more dangerous than ransomware, well, that was eye-opening.
Employees and developers, as well
As we already know from our Retail and Hospitality Threat Trend Report, employees can introduce risk by being easy targets of phishing. No huge surprise there, though that doesn’t detract from the risk. It is an aspect of security that must be addressed. Similarly, as retail gets digitized and ecommerce platforms become a large portion of the business, software developers can pose a serious risk in terms of the vulnerabilities they can introduce—accidentally or purposefully—in apps, app frameworks and other software.
Now on to the everyday external threats
In informally polling the group on threats they see and respond to every day, there was closer alignment with threat intelligence assessments. The group listed the following tactical threats:
- Gift cards
- Account takeover
- Password attacks
- Credit card validation
- Credential harvesting
No real surprise here if you work in retail or hospitality, so we asked the group to talk about more strategic or longer-term threats to the business from a cybersecurity perspective. Below is their list:
- Working from home
- Tech innovations
- Connected devices
- Third party data practices
- Legacy tech
- Asset management
- Seasonal employees
The above list is also interesting because these are topics that are often not discussed and rarely addressed—for example, how to successfully manage technology change.
To get the entire picture, listen to your security people
What we learned is the view from "the trenches" is often different—but is no less important, according to the people who were kind enough to contribute to our discussion.
One more thing: Beyond improving your processes, we’d like to get another message out to “the business”—your security people are passionate and they want to protect your company. They want to do a good job.
At Accenture, we believe that when "the business" and Security communicate more effectively, they can then start taking concrete steps like plugging into the expertise of go-to security firms and managed security services.
For more information on threat intelligence, business value chains, or our managed service offerings, please contact us at MDR.email@example.com.