By Isaac Kohen, Teramind
Retailers face data security threats on many fronts. Not only is online shopping becoming a critical component of a competitive business model, collecting copious amounts of customer data with every view, click, purchase, and share, but even brick-and-mortar stores are accumulating significant amounts of customer data from loyalty programs, credit card swipes, and other initiatives.
Taken together, today’s retailers are collecting an incredible amount of customer data, which presents both unique opportunities and unavoidable vulnerabilities.
Cybercriminals frequently target retailers, identifying their valuable datasets and relative lack of attention to this priority as an easy opportunity to wreak havoc and to make money. For example, in December, Woolworths, a popular supermarket chain, experienced a data breach when an employee fell for a phishing scam that ultimately allowed hackers to steal rewards money from customer accounts. Similarly, the online stores for numerous retailers have been impacted by data breaches. In 2019 alone, it’s estimated that 20,000 e-commerce sites could be compromised by the prominent and problematic Magecart payment skimming malware. Most notably, this fall, Macy’s customers had their payment information stolen, an indelible reminder that retailers of all sizes are continually at risk of a data loss event.
Simply put, in 2020 and beyond, cybersecurity is going to be a top-of-mind, bottom-line issue for retailers. To be successful, they will need to understand the risks of a data breach, and they must take adequate steps to help mitigate these vulnerabilities.
Know The Risks
Data breaches have never been more consequential. Each event brings a flurry of negative news headlines that tarnish a brand’s reputation, while regulators and consumers are increasingly unwilling to put up with companies that can’t protect customer data.
Retailers already operate under a robust regulatory structure. For instance, businesses that accept payment cards at checkout – which is to say almost all of them – need to adhere to the PCI standard. From the onset, these regulations challenge retailers to protect customer data, especially sensitive information like payment details. More broadly, national data security standards, like Europe’s General Data Protection Regulation (GDPR), make data security a serious issue for every company.
Of course, in 2020, retailers also will face oversight from California's Consumer Privacy Act that brings additional expectations and the potential for costly consequences. Beginning in June 2020, California’s attorney general can begin seeking civil penalties of $2,500 for each data security violation, and it can pursue significantly higher sums from companies that are especially negligent.
Regulatory oversight notwithstanding, retailers have every reason to be vigilant about data protection. Perhaps most notably, data breaches have never been more expensive. IBM’s annual cost of a data breach study found that the average expense approaches $4 million, a staggeringly high number that’s only expected to increase in the years ahead.
At the same time, customers have grown exasperated by retailers that can’t or won’t protect their information. According to a recent survey by Ping Identity, 81 percent of consumers would stop interacting with a brand online after a data breach. In addition, there is a strong correlation between a retailers’ cybersecurity reputation and customers’ willingness to make a purchase.
After years of expensive, extensive data breaches, neither government regulators nor consumers have patience for retailers that can’t protect sensitive information. Fortunately, by focusing on a single, critical component, retailers can make meaningful progress in the year ahead.
Embrace The Solution
While cybersecurity can feel like a widespread problem with an impossible solution, in reality, retailers can significantly reduce their data security exposure by addressing their most prescient threat – their employees, contractors, and third-party collaborators that encounter data and provide an avenue into your IT environment.
Indeed, insider threats, both malicious and accidental, comprise an increasing risk that retailers need to address. Verizon’s 2019 Insider Threat Report concluded that more than a third of all data breaches are attributable to an insider threat. These threats take many forms, including:
- Careless workers who accidentally share sensitive customer information.
- Bad actors who leverage their access to company data to steal information for personal gain.
- Disgruntled employees who destroy or steal company data as a retaliatory action.
- Third-party collaborators who compromise data security or misuse company data.
However, even employees who aren’t misusing company data still pose a significant threat to data security. More than three billion phishing emails are sent each day, and some of these inevitably land in employee inboxes. When employees engage with these malicious messages, company data is quickly on the line.
Ultimately, retailers looking to improve their defensive posture can get a lot of mileage out of this known and controllable risk factor. Here are a few next steps:
- Implement employee monitoring software. Retailers can deploy this software to provide oversight and accountability to employees’ digital activities. When paired with clear data management standards, this software equips retailers to detect potentially harmful activity before it can compromise the personal data for thousands of customers. A timely response is critical to preventing the headline-making breaches that have become so prominent, and employee monitoring software puts retailers in control of their data environment.
- Automate whenever possible. CTOs and IT admins are overwhelmed by the deluge of threats continually coming their way. A 2019 survey found that more than 60 percent have considered quitting their jobs and leaving the industry altogether, which means that retailers have to lighten the load on these critical employees. By automating things like access restrictions, data movement, and endpoint loss prevention, IT admins can address the most urgent threats while letting software handle the rest.
- Provide comprehensive awareness training. When it comes to data security, employees are both a risk and an asset. When properly trained to value customer data or to identify and report phishing scams, employees can become a robust defense against a data breach. Often, retailers can pair their employee monitoring initiatives with these training priorities to provide a holistic approach to data security.
- Collaborate and Communicate. Each of these initiatives is best enacted with full involvement and investment from all team members. Therefore, openly collaborate with employees about the most pressing vulnerabilities and communicate continually when new standards, expectations, or procedures are implemented. In the end, data security is the top priority, and it’s one that’s best pursued together.
For retailers to remain competitive, they will have to offer more than great products and compelling deals. They must account for data security, as the consequences for failure in this regard will continue to compound, making businesses less viable after a breach. At the same time, for retailers that rightly embrace this concern, they will develop a competitive advantage over those that didn’t get the message in time.
About The Author
Isaac Kohen is VP of R&D of Teramind, a leading, global provider of employee monitoring, insider threat detection, and data loss prevention solutions. Follow on Twitter: @teramindco.