Retailer Group Sets Aside Rivalries to Share Cyber-Attack Information

By Robert Lemos  |  Print this article Print

Commercial retailers create the Retail Cyber Intelligence Sharing Center (R-CISC), to facilitate the sharing of information on attacks and help the industry defend itself.

Nine well-known retailers and the Retail Industry Leaders Association (RILA) announced on May 14 the formation of a sharing and analysis center aimed at disseminating information about cyber-threats targeting the retail sector.

The Retail Cyber Intelligence Sharing Center, or R-CISC, will act as a collection and dissemination point for information about cyber-threats and support its own information sharing and analysis center, or ISAC. Nine major retailer brands—American Eagle Outfitters, Gap, J. C. Penney, Lowe's Companies, Nike, Safeway, Target, VF Corp. and Walgreen—have pledged support for the organization.

“The retail industry is already going to great lengths to minimize risk and stay ahead of cyber-criminals," Ken Athanasiou, global information security director for American Eagle Outfitters, said in a statement accompanying the announcement. "The reality is cyber-criminals work non-stop and are becoming increasingly sophisticated in their methods of attack and by sharing information and leading practices and working together, the industry will be better positioned to combat these criminals."

The industry has come together to form the information sharing group in the wake of the attacks on some of the largest retailers last year. In December, online thieves infiltrated the point-of-sale network of retail giant Target and stole information on more than 40 million credit- and debit-card accounts, as well as an additional 70 million records containing personal information about customers. Yet, Target was not alone. Luxury retail chain Neiman Marcus, craft store chain Michaels and other retailers were also discovered to be the victims of similar attacks.

Sharing information among competitors is neither an easy, nor natural task, James Mobley, president and CEO of risk consulting firm Neohapsis, said in a statement sent to eWEEK. Rivals are generally fearful that any information shared could give away a competitive advantage. In addition, companies hesitate to reveal too much about their security measures, for fear of revealing vulnerabilities, he said. Finally, companies worry that any information shared with others could be leaked.

Yet, the benefits of sharing threat information outweigh the risks of leaks and the potential for revealing competitive information, Mobley said.

"Sharing, given the potential impact of cascading cyber-attacks, is much more important than staying a half step ahead of a competitor by limiting the flow of critical security information," he said. "Open sharing is extremely important and the negatives are insignificant when compared to the impact of not doing so."

Sharing, however, is only the first step, Robert Sadowski, director of technology solutions for security firm RSA, told eWEEK. The information has to be both timely and actionable, he said.

"The more quickly and frequently this information can be disseminated, the better," he said. "And just as important, if not more important, companies need to have the incident response teams in place to handle the information and act on it."

The organization will focus on researching threats, information sharing and educating retail firms about the threats they face, the group said.

Originally published on www.eweek.com.