Even before Sept. 11 revealed how vulnerable U.S. businesses can be to catastrophic losses, there were plenty of reminders of the importance of securing mission-critical data and systems.
During a recent IT Leadership Forum, sponsored by Washington-based Food Marketing Institute, Don Reeve, chief information officer for Wegmans Food Markets, Rochester, N.Y., revealed that representatives of Canaudit, Simi Valley, Calif., spent a weekend with the grocer's chief financial officer and internal audit group to test the security of its fire walls.
While the auditors were not able to hack Wegmans' point-of-sale system, they did penetrate the pharmacy databases, which store 10 years' worth of customer pharmacy transactions and demographic data, as well as information regarding the company's employees and Web site.
"All prescriptions and other high-security areas were at risk," Reeve explained during the conference, pointing out that retailers "need to take additional measures to protect critical information."
Hackers, of course, are just one of the threats to grocers' data and systems, along with floods, hurricanes and other natural occurrences, human error, and, especially since Sept. 11, terrorism and sabotage. Indeed, since the attacks of Sept. 11 and following concerns raised earlier by the so-called Y2K bug, retailers nationwide -- even those who felt they were already well protected -- have been refocusing on disaster recovery systems and developing contingency efforts to protect mission-critical data.
Retailers may not have increased information technology budgets to implement new disaster recovery systems and procedures, but industry experts agree there will be an increased awareness from now on.
"Retailers are still assessing the fallout from Sept. 11 and evaluating if 2002's information technology budgets need to be adjusted to add new security measures," said Greg Buzek, president, IHL Consulting Group, Franklin, Tenn. In October 2001, retailers in other retail verticals had not adjusted their budgets to add more disaster recovery programs and systems, though they continued to strengthen and improve already-successful programs.
Wegmans' experience is just one example of the need to stay on top of data security. Another example comes from Tom Murphy, president of Peak Tech Consulting, Colorado Springs, Colo., and former Kroger CIO. At FMI's Internal Auditor's Conference in May 2000, he said a third-party auditor showed how to hack into the network of a large grocery chain.
The auditing firm was able to "enter the company's payroll, general ledger and pharmacy systems," Murphy said, recollecting that "there was not a dry shirt in the audience."
While network security generally requires secure fire walls and the like, data protection falls under the responsibility of disaster recovery systems. Retailers are concentrating on preserving information from POS data, inventory management, general ledger, accounting and payroll, and, in some cases, customer records.
To protect their data, retailers need to develop a strategy and methodology, said industry observers. The first step is to identify data considered "mission critical," and determine how long the business can run without it.
Some retailers will meet with every "owner of data," or the head executive within each department -- including marketing, merchandising and finance -- to identify the information that is most critical to keeping the business running. Others implement a matrix analysis of applications to determine the impact of losing data for up to 48 hours. Mission-critical data is then stored on tape, CD-ROM or optical CDs and filed away in storage boxes that can hold gigabytes and in some cases, terabytes of data. Family Dollar Stores, Charlotte, N.C., a discount retailer that sells food among its offerings, uses a storage unit from IBM, Armonk, N.Y., called the Enterprise Storage System, to consolidate all of its store data. The system, which holds up to 11 terabytes of data, enables the retailer to do data backups during operating hours, rather than waiting until the store is closed.
H.E. Butt Grocery Co., San Antonio, has long had contingency plans in place for floods, hurricanes and tropical storms, making for an easy transition to year-2000 planning to protect data. The retailer performed "exercises" at least six months prior to Dec. 31, 1999, for all mission-critical areas, including front-end systems, transportation and warehouse processes. This included providing cashiers with a price list and a sales-tax table, for example, in case POS systems shut down.
"Personnel only need to execute the pre-established plan instead of making decisions that are ad hoc or reactionary," Gavin Nichols, director of systems and programming for H-E-B, said at the time.
To gain a better sense of security, some retailers are opting to partner with business recovery solution providers like SunGard, Wayne, Pa., that typically pick up data backed up daily and store it off-site.
