Retailers are an easy target for hackers; the headlines over the past few years have made this abundantly clear.

Major data breaches suffered by large chains, such as Target and Home Depot, show that nobody is immune, and the associated costs can be significant for even these retail giants.

Retailers Facing Data Breaches

Infosecurity Magazine reports that more than 260 million retail records have been reported as leaked, lost, or stolen in the US since 2005.

These include the 56 million records compromised in the Home Depot breach, 70 million in the Target breach, 12 million in the Sony breach and 100 million in the TJX breach.

If you're facing a data breach, follow these 7 Steps to Address a Data Breach to minimize damage caused.

With such major retailers suffering breaches, it’s clear that data thieves aren’t targeting only those who can’t afford good security.

In fact, they seem to be singling out large retail players for the huge volumes of data that can be accessed, regardless of their security budgets.

Threats to Retail Data

One of the reasons retailers are especially vulnerable to cyber-attacks is that the retail industry tends to be less “cyber-centric” than other industries, says Pete Pouridis, principal of the Pouridis Group LLC, and Vice President of Fraud Management Services at Merchant Customer Exchange LLC (MCX).

“They have IT departments and they have developers, but traditionally the developing has focused on developing for sales and everything else has been outsourced.”

The Sheer Volume of Data is Enticing Thieves

Pouridis also sees the sheer volume of data gathered by retailers to be a significant draw for thieves.

“They don’t have a single widget of information; they’re not like a financial institution so they’re not geared to protecting a specific set or subset of assets. So they have all this information and … a lot of that data has to traverse through their network, from a salesperson to an IT person. So there’s this challenge of how do you protect that data without getting in the way of the selling effort,” he says.

Data storage is another area where retailers are vulnerable.

Retailers must store and secure payments so that if there is a dispute with a customer they have a record of the transaction.

But storing sensitive data incurs huge risks that must be mitigated with strong security, encryption and tokenization.

Protect Your Crown Jewels

To protect your information properly, you need to first determine what you consider to be your crown jewel data, says Pouridis.

Then have a way to remove that information from your network to keep it safe. “Whether it’s tokenization or if you have a place to store it, make sure it’s centralized and then build your moat around that.”

Certain infrastructure standards, dictated by the Payment Card Industry Data Security Standard (PCI DSS), also apply to retailers, but just doing the minimum to meet those standards may not be enough.

In the majority of breaches, the retailers were PCI compliant, so compliance doesn’t necessarily mean security,” says Pouridis.

Putting Measures in Place

Experts agree that the chances of experiencing a retail data breach are very high, some going as far as to say that those retailers who think they haven’t been breached simply don’t know it yet.

So it’s critical to have the right things in place when it happens.

“Look at your environment and look at your behavior, data and your network as it lives and breathes, then look at that behavior and create a standard for that behavior,” advises Pouridis.

“Then when you have something in your network that looks anomalous, have the ability to go in and look at that behavior. You should be able to see the outbound traffic of your network, unusual log-in activity, unusual traffic. There are solutions and platforms out there that can help.”

Insider Threats

Your employees can be among your biggest risks and can facilitate data theft either purposely or by accident by falling for a phishing scheme.

Background checks and diligent hiring practices can help keep the bad apples out of your organization, but what happens when a good employee goes bad?

Pouridis likens it to controlling entry in a nightclub.

“People show up drunk and disorderly, obviously you don’t let them in. That’s easy. But what if they aren’t drunk and disorderly and you let them in and then while they’re inside they become drunk and disorderly? You have to have a way to deal with inside threats.”

Protecting sensitive data in the retail environment takes a multi-faceted approach, including risk assessment, standardization, IT security, physical security, hiring due diligence and constant monitoring of networks and assets.

By centralizing and isolating crown jewel data, retailers are in a better position to keep valuable information out of the hands of thieves.