Home » Data Protection » PCI and Compliance

Industry View

Business Closures and Information Loss: An Unforeseen Impact of the Economic Meltdown

As retailers shut down and liquidate their point of sale systems, guess what else they're selling?

By Todd Waskelis and Bindu Sundaresan, VeriSign

Page 2

There has always been prevalence of certain information security exposure points which may now increase in trying economic times. Below are some of the steps that can help mitigate some of the risks posed by the common information security exposures.

For Businesses:
A very good first step to combat any security threat is a risk assessment, which ensures that all the security risks are identified when the company is on the path to closing down entirely or shutting down stores or specific operations. Risk assessment is the ideal way to start but for a failing business, this leads to additional cost when funds are scarce and is difficult to gain management support amongst all the other distractions surrounding times of tough changes.

Another important step in helping safeguard information is effective asset management. Stores that are going out of business are selling practically everything in their store—their entire asset inventory—including the kitchen sink. All the servers, desktops, financial reporting systems would most likely be on the market as well; a nightmare for data protection and privacy. Will these employees who currently work for the business that is soon closing down take the measures to ensure data security? Does the business have a plan to direct the employees on how to ensure data security? Are these businesses dealing with regulations addressing privacy, data security, and confidentiality even when they are shutting down?

When a business is closing down, there are unexpected layoffs across different levels, raising the specter of one of the most challenging risks to data, insider threats. Potentially disgruntled employees can cause significant damage to the company by stealing data, such as financial information and corporate information. Insider threat historically has risen to its highest level during times of deep economic crisis. A perfect storm of conditions for insider abuse may be unfolding.

Another potential exposure point is social engineering. Historically speaking, we have seen people resort to unethical ways during dismal economic times. Even if the employee remains loyal to the company that is going out of business, they could be naïve enough to become part of a social engineering attack that somebody from the outside is executing. It could be as simple as opening up a phishing email that offers incentives or jobs—very appealing to someone losing a job. So here we could have a loyal but concerned employee that puts the company at risk.

One common challenge with information security for retailers is the multiple critical components that makeup a retail operation. The IT infrastructure of a retail chain may involve several smaller components such as domain names, internal and external web sites, and wireless networks. These are some of the last things that will have to be shutdown after a business has ceased operations. These parts of the infrastructure need to be addressed in a security conscious manner to ensure that confidential data is not left unsecured. Not addressing these "missing pieces" make it highly likely that they will come back to haunt your business in the future.