Is "the business" a major threat to cybersecurity in retail and hospitality?
November 15, 2019
Believe it or not, that’s one of the key takeaways from a session we recently led at the Retail Hospitality Information Sharing and Analysis Center’s annual Cyber Intelligence Summit. Yes, phishing, ransomware and other issues were cited as major concerns, but as external threats. Internally, word was that "the business" was seen as a primary adversary—an actual threat to cybersecurity.
We weren’t totally surprised, but the candor we heard was impressive. This was the kind of thing you don’t read about in threat intelligence reports. And that’s not all. Other cybersecurity "adversaries" cited during our session were vendors, employees and developers.
So, is this security people complaining about lack of budget and support, or is there more to it? We have some thoughts about that, and would love to hear yours, but first … let’s back up and provide some context.
The session we led included more than 30 security executives and analysts from leading retail and hospitality organizations. It focused on major threats and risks to security and on securing those businesses’ value chains. Much of the discussion touched on the points in our Retail and Hospitality Threat Trend Report. Participants ranged from analysts in a SOC to directors and security executives.
The value of this approach was hearing “from the horse’s mouth” the threats members face every day. Having said this, we need to recognize that the feedback was impromptu. It came up in brainstorming fashion rather than from formal research. Still, it was fascinating to hear such frank and unusual discussion.
The threat actors the group listed were interesting in the sense that they departed from most threat intelligence reports. Instead of being focused on well-known cybercrime groups or nation-state actors, what we learned was the people running security programs are most concerned about the following security “adversaries:”
Though the list above isn’t prioritized, it was clear that most of the people who participated felt they were fighting the business more than any external adversary. That’s counter-intuitive, and speaks volumes, so let’s say it again: Business stakeholders and executives are often viewed in adversarial terms rather than as collaborators or partners in the security mission. Why? Well, security personnel often feel that the needs or initiatives of the business are at odds with their security mission. For example, new initiatives in mobile, e-commerce and the IoT create more IT estate that needs to be secured. Employment of seasonal workers, VPN access to remote workers and third-party suppliers are all were viewed as significant security threats as well.
Keep in mind that IT departments also came up as an adversary. The context is that getting IT (infrastructure management) to patch and remediate vulnerabilities continues to be a persistent challenge as business needs almost always trump security.
In fairness, we know money and resources are limited. So is talent, though there are efficient ways around that. Clearly, the business can’t give everybody everything they want. We get that. And we’re only serving as the messengers here, so don’t condemn us too quickly. Still, what we heard was concerning.
Take vendors, for example. Certainly, being concerned about how partners can affect cybersecurity isn’t new. Vendors need access to corporate systems, which can introduce significant risks. But the concern we heard, about how vendors are seen as potentially more dangerous than ransomware, well, that was eye-opening.
As we already know from our Retail and Hospitality Threat Trend Report, employees can introduce risk by being easy targets of phishing. No huge surprise there, though that doesn’t detract from the risk. It is an aspect of security that must be addressed. Similarly, as retail gets digitized and ecommerce platforms become a large portion of the business, software developers can pose a serious risk in terms of the vulnerabilities they can introduce—accidentally or purposefully—in apps, app frameworks and other software.
In informally polling the group on threats they see and respond to every day, there was closer alignment with threat intelligence assessments. The group listed the following tactical threats:
No real surprise here if you work in retail or hospitality, so we asked the group to talk about more strategic or longer-term threats to the business from a cybersecurity perspective. Below is their list:
The above list is also interesting because these are topics that are often not discussed and rarely addressed—for example, how to successfully manage technology change.
What we learned is the view from "the trenches" is often different—but is no less important, according to the people who were kind enough to contribute to our discussion.
One more thing: Beyond improving your processes, we’d like to get another message out to “the business”—your security people are passionate and they want to protect your company. They want to do a good job.
At Accenture, we believe that when "the business" and Security communicate more effectively, they can then start taking concrete steps like plugging into the expertise of go-to security firms and managed security services.
For more information on threat intelligence, business value chains, or our managed service offerings, please contact us at MDR.firstname.lastname@example.org.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks