self-documentation processes are less dependable, retailers are urged to use active cyber threat monitoring and mitigation from third parties (Symantec Corporation, 2015).Leverage the NIST Framework. The NIST Cybersecurity Framework incorporates cybersecurity methods that have been established by the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO) (Symantec Corporation, 2015). The Framework consists of a risk-based list of rules and delivers organizations with an assessment tool intended to help them define their current cybersecurity capabilities, set goals and create a plan for refining and sustaining cybersecurity policies and procedures (Symantec Corporation, 2015). Cybersecurity is referred to as “risk management” in the Framework. The Framework may also provide potential standards for future legal rulings regarding cybersecurity. Retail businesses that embrace the Framework may find themselves in a better position to conform to future cybersecurity and privacy protocols (Symantec Corporation, 2015).Commit to ongoing investment. Retail businesses are generally behind in information security protection policies and procedures. This is mainly due to the focus on driving productivity and sales. Making the sales plan for the day, week, and year is the primary goal. As a result, the need to cut costs and make a profit against slim margins prompts retailers to only implement very basic PCI standards (Symantec Corporation, 2015). According to a survey from the PricewaterhouseCoopers 2015 Global State of Information Security, only 3.7 percent of the IT budget represents information security (Symantec Corporation, 2015). It is imperative that retail businesses get ahead of the cyber threats and make a lasting commitment to ongoing investment in their information security.Insurance against a Cyberattack. Having a cyber insurance policy that covers different cyber-related incidents is vital to any cyber risk management approach. What is cyber insurance? It’s insurance that provides business’ liability coverage for any breaches involving private customer information such as social security numbers, credit/debit card numbers, account numbers, and driver’s license numbers ( Nationwide Mutual Insurance Company., 2017). General liability insurance is usually limited to physical injuries and property damage, and does not include protection for cyber-related incidents. The following information regarding cyber insurance is provided by Nationwide Insurance.Cyber insurance covers the following:• Legal fees and expenses• Informing customers of a data breach• Restoring the identities of customers affected by a breach• Regaining breached information• Fixing compromised computer systemsThe coverage for cyber-related incidents will vary slightly from one insurance company to another. Nationwide provides three types of cyber insurance:1. Data compromise protection, which covers credit monitoring.2. Identity recovery protection, which covers identity fraud and credit repair.3. CyberOne protection, which covers damage caused by a virus or computer attack, and data restoration costs.Retail businesses may find themselves in litigation and experience significant loss in profits as a result of a cyberattack. By implementing a decent insurance policy, the retailer can save themselves from litigation and minimize overall loss. The type of insurance policy and insurance premium depends on the goods and services sold, the current state of their information security, vulnerabilities, annual revenue, and privacy regulations (Symantec Corporation, 2015). Retailers are encouraged to shop around for a cyber incident policy before making a final decision. There are also insurance companies that strictly specialize in cyber insurance such as Root9B, RSA, IBM Security, Dell SecureWorks, and Palo Alto Networks.Building Industry PartnershipsRetailers can learn a lot from one another’s experiences. Retail businesses better protect themselves against attacks by building relationships with fellow retailers, sharing details of attacks and teaming up with industry stakeholders (Symantec Corporation, 2015). The Retail Cyber Intelligence Sharing Center (R-CISC) and the Information Sharing and Analysis Center (ISAC) are two main organizations that support sharing of information between retailers. The National Retail Federation (NRF) established a Retail Cyber Intelligence threat alert system in conjunction with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the U.S. Department of Homeland Security in order to assist information sharing between retailers (Symantec Corporation, 2015). The information shared can create new cybersecurity policies and procedures that will prevent future attacks. Comparison of the Findings to Other Studies When compared to other studies, this paper has a much broader coverage of cybersecurity threats in the retail industry. The purpose of these findings is to provide a general understanding of the cyber threats that can easily cause damage and harm to retail businesses. The information provided in this paper is not specific to one retailer. The information was collected from many different reports and articles regarding multiple retail businesses that were victims of cyberattacks. Limitations of the Study Limitations of the study include lack of information reported by compromised retail businesses. Retail businesses selectively choose what to share with the media and the public regarding their cybersecurity policies, procedures, and encounters. As can be expected, highly sensitive and private customer information is kept from the public, and therefore this study lacks in detail pertaining to the retailers acknowledged. The statistics presented in this study were collected from a small sample of retail businesses that experienced a highly publicized cyberattack. The study was not authorized by any of these retail businesses and was not privy to specific facts involving names, costs, and productivity.?RECOMMENDATIONSEstablish IT GovernanceIT governance is a management process that outlines decision rights, ensures risk tolerance is involved in decision making, and offers a method of measuring expectations through a compliance process (Microsoft, 2008). Before any decisions can be made the governance structure and process must be determined. This will name the designated retail business and IT representatives who will be solely responsible for making decisions and held accountable for any issues that may arise. The determination of initiatives and devices will ultimately be the result of governance activities. IT governance will also offer an environment in which employees can appreciate and understand the benefits of a governance program (Microsoft, 2008).Establishing IT governance includes the following steps:• Setting vision. This step establishes the governance structure for IT and generates decision-making power and culpability. The business will create clear and concise goals, adopt requirements from appropriate standards and regulatory bodies, determine risk tolerance, outline performance indicators, and create a method of measuring progress (Microsoft, 2008). The business will also create a setting for governance activities, determine policies, communication plans, risk management plans, liability for governance decisions. In this step, the business will produce an IT governance contract and name an owner (Microsoft, 2008).• Partnering IT with the business. This step will also decide if overall governance and IT governance is the right fit for the business. If it is not a good fit, IT governance will feel the consequences. Retailers will map out business-oriented goals, management mandates, respective owners, legal interpretation requirements, compliance requirements, identify governance committee members meetings, and clearly defined roles and responsibilities (Microsoft, 2008).• Classify regulations and standards. The business must inspect and properly implement these regulations and standards. The business must specify regulatory requirements, require IT analysis of IT service management frameworks, identify IT competencies and restraints, and as mentioned earlier, implement a governance framework that signifies the least organizational burden for the maximum benefit to productivity, proficiency, compliance, and alignment with the business needs (Microsoft, 2008).• Create a policy. Establishing a policy helps guide employees to exemplify the desired behaviors. The business must determine the processes that need explicit performance measures defined by policy, document and communicate policy, identify non-compliance or other situations where they have responded less than adequately, and put policy into practice (Microsoft, 2008). The business should also consult the legal department regarding the proposed policy to ensure that no laws are broken. The policy must be clear, concise, and easily understood by all employees. The policy should use common terms and concepts, but incorporate basic cybersecurity keywords.Invest in Training Instruct employees not to share personal information in email communications, unsolicited phone calls, or text messages. Instruct employees to refrain from entering personal information in pop-up windows when using the internet. Employers need to update all security software and other software programs on a regular basis (Symantec Corporation, n.d.). Educate employees on safe computer and internet practices. Computer knowledge and security vary from person to person. Therefore, it is important to provide the same amount of training to all employees. Not only do employees need to be trained, but they also need to be recognized for learning the skills and practicing them in the workplace. Employees need to be reminded of their value, and need to feel appreciated by the companies that they work for. Angry and disgruntled employees are much more likely to pose a security concern than employees who are happy with their job and employer. Make training interactive and fun, will encourage employees to participate in group discussions, and even prompt them to share their own ideas.Cyber Security Best Practices Train employees to contact the IT department immediately if they receive any suspicious phone calls. Hackers will pose as IT in attempt to trick employees into installing malware, or convince them to share confidential information as fuel for cyberattacks. Remind employees to be careful not to leak intellectual property. Even if the leak is accidental, it can cause severe repercussions. Instruct employees to be mindful when sharing pictures that reveal sensitive information on any visual boards or computer screens. If these boards or screens may be visible to outsiders. Have employees report any warnings from Internet security software to IT as soon as possible. IT may not be aware of all threats that occur. Require employees to inform the IT department when they are traveling, especially if they are going to be using public wireless Internet. Ensure employees are knowledgeable in using the company’s Virtual Private Network (VPN), (Symantec Corporation, n.d.). Educate employees not to click on links open attachments in emails from unknown senders. Phishing emails trick employees into who open these links or attachments without verifying their legitimacy. As a result, employees create an opening that leaves the company vulnerable to malware. Train employees contact your IT department if they are unsure about an email’s legitimacy. Also, instruct employees to refrain from even opening emails from senders that are unfamiliar. This way they are a not tempted to open any links or attachments.Online Activities Stealing intellectual property and sharing company secrets is generally against company policy and procedures. However, employees should still be instructed not to steal or share any company information. The business may even track the use of their documents, and therefore employees’ activities are private. Consult current Acceptable Electronic Use (AEU) policy, and refer to the instructions on safe use of devices. If the business does not have a current AEU policy, they should partner with IT to create and implement one immediately. The more time spent without an AEU is more time that employees are left without guidelines to follow when using devices. Consult the IT department before backing up devices to cloud services, and request a list of authorized cloud solutions (Symantec Corporation, n.d.). Ensure that cloud services are also a part of the AEU. Require the IT department to research existing, successful AEU’s at other retail businesses. Instruct them to create a visual illustrating the pros and cons of the differing AEU’s. Once all options have been discussed, draft an updated AEU and communicate it company-wide.Best Practices for Contacting IT SupportWhen in doubt, call IT. Many times an unassuming computer update can snowball into a malware infection. Require employees to seek permission to use personal devices. IT department must determine if the device is allowed to access and upload sensitive, corporate information. Require employees to only use authorized applications when accessing corporate documents. Educate employees on the process of allowing IT to connect to their workstation. By doing this, time will be saved when IT assistance is needed to resolve an issue. Educate employees on basic computer hardware terms (Symantec Corporation, n.d.). This way IT can identify the root of the problem faster.Neutralize Third-Party RiskThe business must create a master list of all third-party affiliates. Next, they should partner with the IT department to measure the risk posed by each third party. Prior cybersecurity breaches involving any of the third parties should be taken into account. In addition to the third parties’ prior history, a list of potential vulnerabilities in regards to protection of data and billing method for services should be considered. By mapping out the past and future interactions with third-party affiliates, the business can be better prepared to respond to a third-party breach of security. This will save time and money. The business will ultimately determine whether the risk is worth working with these third-parties. How to Use the NIST FrameworkIt is recommended that the business utilize resources found on the NIST’s Framework website in order to assist IT decision makers. The Framework is not intended to replace any current cybersecurity processes. The business can use its existing process in conjunction with the Framework to find holes in its existing cybersecurity approach and create a plan for improvement. The next sections present different methods in which businesses can use the Framework to create or improve their cybersecurity. Establish or Improve a Cybersecurity Program based on the Cybersecurity FrameworkStep 1: Prioritize and Scope. In this step, the business must determine mission objectives and high-level priorities (National Institute of Standards and Technology, 2014).Step 2: Orient. After the general structure of the cybersecurity program has been created the business will determine relative systems and assets, regulatory requirements, and risk management. Then the business will identify cybersecurity threats, weaknesses of the systems and assets (National Institute of Standards and Technology, 2014). Step 3: Create a Current Profile. In this step, the business will create a Current Profile by demonstrating which Category and Subcategory outcomes from the Framework Core are presently being accomplished. Step 4: Conduct a Risk Assessment. The assessment needs to be based on the business’ general risk management process or former risk assessment practices (National Institute of Standards and Technology, 2014). The business will evaluate the working environment to determine the probability of a cybersecurity incident and the effect that the incident would potentially have on the business. Step 5: Create a Target Profile. The business will build a Target Profile that concentrates on the evaluation of the Framework Categories and Subcategories explaining the business’ preferred cybersecurity results. The business can also add their own Categories and Sub categories to account for additional or exclusive risks. The business may also take into account the requests and guidance of external stakeholders when building a Target Profile (National Institute of Standards and Technology, 2014). Step 6: Determine, Analyze, and Prioritize Gaps. In this step, the business will compare the Current Profile and the Target Profile in order to identify any disparities. Then the business will generate an action plan to address the disparities, and a cost/benefit examination to accomplish the results in the Target Profile. Next, the business will decide what resources are required to resolve the disparities (National Institute of Standards and Technology, 2014).Step 7: Implement Action Plan. In this last step, the business will decide what actions to take to address the disparities mentioned in the preceding step. Next, the business will observe its existing cybersecurity procedures against the Target Profile. The business can repeat the steps as many times necessary to continue evaluating and developing its cybersecurity program, (National Institute of Standards and Technology, 2014).Commit to Ongoing Investment The retailer needs to establish a budget strictly for the IT department. The budget needs to incorporate security software, security updates, adequate IT staffing, state of the art devices and workstations. The IT budget should be one of the largest budgets within the retail business. The budget should also account for any damaged devices or resources needed in the event of a cyberattack. Costs incurred from an attack can potentially cost millions of dollars in repairs. The retail business should invest in training courses, such as interactive computer training that illustrate cybersecurity issues employees may encounter. Have experts from currently used tech vendors host in-person training in the conference room every few months. Require the IT department to host weekly 10 minute meetings, and share current cybersecurity topics or issues. Have the IT department send regular emails including a “fun fact” or one question quiz to test the recipients’ cybersecurity knowledge. Report the results of these quizzes at the weekly meetings. Serve refreshments and hand out prizes at the meetings to encourage participation. Find ways to motivate employees to participate.Insurance against a CyberattackIt is important for retailers to determine the right cyber insurance policy for their business. The type and amount of coverage should be based on the size of the business, and the goods and services the retailer provides. It is recommended that the C-Suite partners with the IT department to shop for the proper cyber insurance coverage. Request consultations with each of the cyber insurance companies, and ask for information on each of the policies they offer. Consider how long the insurance company has been in operation, and the size of their client base. If possible ask for a list of retailers on their client list. Require the IT department to research the pros and cons of each insurance company and their cyber policy. Narrow the down the options by presenting all findings to the Board of Directors and the rest of the C-Suite members, and take a final vote. Benefit Through Industry PartnershipsIn order to fully understand the current cybersecurity issues in the retail industry, the business must be aware of the experiences of their fellow retailers. The best way to learn is through other people’s mistakes. Most retailers will refrain from sharing intimate details about their cybersecurity incidents, however by building a relationship and gaining their trust an open line of communication can be established. The Retail Cyber Intelligence Sharing Center (R-CISC) and the Information Sharing and Analysis Center (ISAC) are two leading organizations that support sharing of information between retailers. The business should also participate and become an active member of these organizations and require the IT department to monitor and reference these two organizations for current cybersecurity retail news.The Retail Cyber Intelligence Sharing Center (R-CISC) provides education, training, an information, and analysis center, research and strategic support. According to the R-CISC retailers are stronger together, (Retail Cyber Intelligence Sharing Center, 2016). The R-CISC shares the following information:• Incident (who, what, where)• Threat Actor• Course of Action• Campaign (motive)• TTP (Tactics, techniques, or procedures) • Observables • Target Exploit• Indicators (Retail Cyber Intelligence Sharing Center, 2016)Information Sharing and Analysis Centers (ISACs) assist retailers in cyber and physical security threats. ISACs gather, examine and distribute cybersecurity threat information to their members and give members tools to alleviate risks and improve resiliency ( National Council of ISACs, 2017). Retailers should require their IT department to report any news or updates from the ISACs on a weekly basis. The IT department should also be required to propose action plans to deal with any new cyber threats that are found by the R-CISC and the ISACs. These plans should be reviewed and approved by the C-suite and Board of Directors. ?