The pace of change over the past few years has been truly astounding. It’s easy to forget, but most of us began our professional lives long before Al Gore invented the internet. Smartwatches were once only worn by Dick Tracy – and Maxwell Smart walked around on the world’s only mobile phone.
Fast-forward to today, and organizations of every size and in every industry have become wholly reliant on computers and data. From customer insights to logistics; from ecommerce to HR; from social media to financial transactions, every aspect of every organization has become data dependent.
As data has increasingly become the essential essence of organizations, the lifeblood of business and the currency of commerce, security has not kept pace with opportunity. The same data that is now essential to our operations is increasingly putting our organizations at risk.
Global cybercrime will cost the world economy $6 trillion annually by 2021 (yes, that’s Trillion, with a “T” –the equivalent to the GDP of Japan), and the problem is rapidly getting worse. What began as cyber-hijinks in the 1980s has devolved into an existential threat to organizations in every industry. Malware attacks have increased by 2,000 percent over the past decade. The ten biggest data breaches in history have occurred over the past five years – and ransomware cost organizations $11.5 billion in 2019 alone. It’s little wonder why Gini Rometty, CEO of IBM, has said, “Cybercrime is the greatest threat to every company in the world.”
Cyberattacks have become the most preventable and consequential threat of our times. Malware, hacks, phishing, botnets, trojans, worms, keyloggers, virus, spyware, adware, ransomware, SQL Injections, DNS and Man-in-the-Middle attacks, The problems multiply every day.
As if the ubiquity of cybercrime wouldn’t be enough to keep the C-suite and Board regularly reaching for antacids, a recent report examining millions of hacks that occurred across over 4,000 organizations in 2018 showed the top target for cyber-attack to now be Retail.
Surprised? Don’t be. Hackers attack retailers for the same reason Willie Sutton robbed banks: “Because that’s where the money is.” In an age when data is actually more valuable than money, hackers know where the most valuable data is – and where it is left largely unguarded. Personally Identifiable Information (PII) and credit card data have become the most common commodities sold on the dark web. And unlike digitally transacted currency, these ill-gotten gains can be transferred, sold and resold infinitely, and nearly for free.
If you hack a bank, you have a few pressing problems on your hand. Somehow, somewhere, someone has to retrieve the proceeds, which means transferring those ill-gotten gains into a brick-and-mortar bank for withdrawal. And while the Feds will be hot on your tail if you take a thousand dollars from Wells Fargo, the two perpetrators of the 2013 Target hack walked away with PII on 41 million customers – and were only caught by dumb luck when they tried to cross the U.S. border.
Cops and Robbers
Vexing as the challenge of cyber criminality may be, it is only the tip of the iceberg of a truly titanic challenge. In the topsy-turvy world of today’s technology, well-intended privacy legislation may occasion an even greater risk to your company from the cops than from the robbers. Those hackers that targeted Target? Adding insult to injury, Target was fined $18.5M subsequent to the breach, for the privilege of being robbed.
Along with the extraordinary upticks we’ve seen in cyber-crime over the past five years (malware, ransomware, hacks, data breaches, etc.), a spate of draconian new laws have recently been enacted — and several more are about to go into effect in January 2020 — that could prove to be a serious gut-punch to retailers.
The California Consumer Privacy Act (CCPA), which will apply to any company with data on more than 50,000 consumers or more than $25 million in gross revenue, carries fines of up to $7,500 per customer record for non-compliance. In addition to the recently passed New York SHIELD Act, the Empire State is expected to pass a version of the CCPA that will make California’s laws look like a day at the beach.
And let’s not forget HIPPA, GLBA, the Children’s Online Privacy Protection Act, the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, the NY Cybersecurity Requirements for Financial Services Companies, and the SEC Statement and Guidance on Public Company Cybersecurity Disclosures – which now mandates compliance with cybersecurity standards by all publicly traded companies.
All that, of course, is just on this side of the Atlantic. For those companies doing any business in the UK or Europe, there is GDPR; the notorious EU regulation that specifies standards for data protection and electronic privacy and which can occasion fines of up to €20 million or 4 percent of annual worldwide revenue of the preceding financial year, whichever is greater.
Topping them all… Senator Ron Wyden (D-OR) recently proposed legislation that would result in (would you believe) jail time for CEOs found to be negligent in their duties as data fiduciaries.
Robots to the Rescue
What would you do if the manager for one of your retail locations made it a habit of going home for the evening and leaving the doors wide open, the alarm codes taped to the wall, and the registers full of cash? The cyber equivalent is, I’m sorry to say, far worse than that – and it happens every day.
Despite all the changes we’ve seen over the past few decades, network security systems have remained largely unchanged since the 1980s. Potential threats, when (if?) identified, are submitted through a ticketing system that is then checked against a blacklist of known offenders. The “more sophisticated” systems do pretty much the same thing; with the exception of relying on profiles that (in theory) can find bad actors that bear a resemblance to previous perpetrators.
Any cybersecurity professional will tell you that this approach is like hiring a sleepy security guard with a clipboard to sit at your cyber-door. Given the inherent limitations of the approach of these obsolescent systems, it is no wonder why companies now take an average of 197 days to notice a data breach.
The Volume, Variety, Velocity, Virality and Viciousness of cybercrime has transcended human capabilities. The only way for retailers to meaningfully meet their cyber security and data security needs is for robots to come to the rescue. Artificial Intelligence enabled cybersecurity solutions that incorporate a composite set of capabilities – including Signal Detection, Natural Language Processing, Robotic Process Automation, Machine Learning, and Deep Learning – have become the only real way to keep the bad guys at bay and your executives out of court.
Stay tuned for future articles in which I’ll explain – in non-technical, plain English, without any code or math – how AI can do the voodoo it does to protect your people, property, places – and profits.