According to a recent report published by the British Retail Consortium (BRC), retail crime in the UK has soared to £613m, where "the majority of fraud is committed online." Given this information, one would assume that retailers were investing more money in protecting themselves from cyber-crime than in preventing theft from their physical stores. However, this doesn't appear to be the case. Radio frequency ID tags, used for stock control in many high-street shops, can be used to monitor and alert staff members about specific product sales, and of course, theft.
According to a post on Quora, an RFID system can cost tens of thousands of dollars to implement, while the cost of implementing a sophisticated suite of auditing solutions would be considerably less, and would be much easier to implement. Despite this, many retailers are still not able to determine who has access to what data, and when. In fact, many are not even able to identify where their critical data is located.
Let's face it, we live in a world where everything is monitored. There are an estimated four million CCTV cameras in the UK. Should the police wish to know what a specific person was doing at a given place and time, the chances are, they can. They can use CCTV to identify vehicles and monitor their speed. They can use mobile phone triangulation, and even Oyster cards, to identify an individual's location. Store loyalty cards and credit card transactions can be used to monitor people’s spending habits. The electoral roll has a record of every place a registered voter has ever lived. TiVo and Skyplus monitor your viewing habits, and will offer suggestions about programmes you may wish to record. Organisations will monitor your call "for training purposes." HTTP cookies are used by websites to personalize a user's visit based on their preferences. Google has eyes in the skies and it's likely that Government agencies are using technology that is even more sophisticated. For all we know, our phones are being tapped by aliens seeking to learn about our ways before turning the planet into an inter-galactic zoo. That's probably not the case, but my point is, despite such pervasive auditing of our personal lives, our personal data remains as elusive as ever.
Much of the auditing that takes place in modern society is politically or financially motivated. However, there are many reasons why organisations are failing to monitor and protect our personal information. According to a report by Symantec, people are the main cause of data leaks. Perhaps organisations consider cyber-security to be too technical and costly to implement, while dismissing the notion that incompetent or potentially malicious staff members are the key threat to their system. In which case, it is the managers themselves that require the training.
For those unfamiliar with the General Data Protection Regulation (GDPR), it is an EU directive which will come into effect on May 25, 2018, which sets out to change the way organisations handle personal information. On top of which, the UK Government has announced it will invest £1.9 billion in cyber security over the next five years. Such schemes and directives will not only prompt organisations to step up their game, but will also provide technical assistance along the way. Compliance may incur additional costs, but there are a variety of inexpensive IT auditing solutions on the market that can monitor system changes, permissions and file-based events, as well as provide real-time reporting.
If we were to place as much emphasis on monitoring events that take place on our IT systems as we do monitoring spending habits and shoplifting, many of the data breaches we hear about today could be largely mitigated.
About the author: Ajit Singh is a Marketing Manager for IT auditing, security and compliance vendor, Lepide.