Given the frequency of theft of data nowadays, customers have come to expect that retailers will take effective measures to safeguard their data, so many retailers are asking what are the main ways to effectively address cyber security?
Understanding the importance of safeguarding data
Data is also becoming much more valuable for retailers as new methods of analysing and using data to create competitive advantage emerge. For example, retailers can now use data to create forecasting models to predict sales, demand and stock requirements. As a result of the growing value of data, retailers are collecting and storing much more information about their customer’s interactions with their brands, for example, credit card information, data on how often customers make purchases, average purchase value estimates, frequency of store visits and so on. Unfortunately, this increased reliance on data to conduct day to day business operations makes the data gathered and stored even more attractive to cyber criminals.
One of the most common cyber security threats is a data breach, where customer data can be accessed or stolen by third parties. Data is very valuable to cyber criminals, who will usually be able to sell it on to other criminals or use it themselves in spam campaigns, financial scams and theft. Worryingly, however, not all retailers are taking the issues seriously enough. Some can’t afford to implement measures to safeguard data. Others just don’t understand how valuable data is on the black market these days.
Cyber security – what are the stakes?
The best way to highlight how devastating a cyber security breach can be is to consider real businesses that have experienced these and their aftermath. The main problems businesses affected by cyber attacks face include fines from regulators, public backlash resulting in loss of customers (and associated profit) and the compromising of relationships with investors.
Serving to provide an example of how all three of these problems take hold is the unfortunate case of Mixcloud, a UK-based audio streaming service which had just signed off on a $11.5 million funding deal from media investment firm WndrCo when it was struck with a data loss calamity. In early 2019, Tech Crunch reported a data breach affecting 20 million user accounts. Usernames, email addresses and links to photos were all stolen in the attack, and it has since been revealed that the data was placed on sale on the dark web for $4000 USD or 0.5 bitcoin. EU and UK GDPR compliance rules which apply because the company has its main base in the UK, mean that the company is eligible for a fine of up to 4% of its total annual turnover if it is found to have infringed any of the regulations that apply. This highlights the uncertainty that a cyber attack can visit on any business. Moreover, it is probably too soon to tell whether there will be any public backlash and how company profits may be impacted, over and above the value of the fine the brand may receive. As such, the real financial impact of this cyber attack remains to be seen.
In 2018, Marriott International disclosed that it had been the victim of a sophisticated cyber attack which impacted approximately half a billion users and the data it had stored in relation to them from as early as 2014. The data compromised included passport numbers, contact information and travel information. Most damagingly, credit card information was also accessed and stolen although Marriott International advised that this information had been encrypted. One in five users, that is approximately 100 million users had their credit card details compromised. In July 2019, Marriott International was fined £99 million by the UK Information Commissioner’s Office (ICO) as a result of the data breach.
In 2016, Yahoo announced that it was targeted by cyber attackers in an attack which compromised approximately 3 billion users. The attackers accessed data including the real names, email addresses, dates of birth and telephone numbers of millions of user accounts registered on the Yahoo website. What was incredibly unfortunate for Yahoo was that it was involved in negotiations to sell its brand when news of the data breach hit the headlines. The upshot of Yahoo’s disclosure of the attack was that approximately $350 million was wiped off the value of Yahoo’s share price, virtually overnight, which allowed its purchaser, Verizon to acquire it for $4.48 billion. Some estimates suggest that Yahoo was worth $100 billion, at the height of its success, so this cyber attack, perhaps because of the impact it had on the Yahoo-Verizon takeover negotiations has been recognised as one of the most damaging cyber attacks in the world.
Cyber security in retail
Retailers face several cyber security issues that are specific to the retail industry. Some estimates put the cost of these issues at $30 bn USD every year to US retailers. One ongoing cyber security issue is protection of point of sale data, which is targeted by memory-scrapping trojans which infect IT and software system and then harvest information illegally and transmit it to cyber thieves.
Gathering point of sale data has become critical to the success of large retailers, since the information can be used to predict demand, introduce stock and logistical efficiencies and leverage highly successful marketing campaigns. For example, stored point of sale data is used to predict what other products will interest buyers and displaying these immediately before customers begin the checkout process is a great way to drive sales and drive up the value of the average customer order. The data can also be used in mass marketing campaigns. However, to gain competitive advantage, retailers have to collect and analyse large amounts of point of sale data on an ongoing basis. This data must then be stored securely, which is what creates the cyber security problems because these data stores then become attractive to cyber thieves, who know the data can be sold to buyers in places like the “Dark Web”.
Theft of point of sale data has dropped in 2018/2019 according to research by cybersecurity firm IntSights, mainly due to Payment Card Industry or PCI compliance regulations and the introduction of more sophisticated forms of chip technology for credit and debit cards. However, retailer vulnerability to memory-scrapping trojans persists and widespread inadequate encryption also makes point of sale data a ripe target for data thieves.
Other specific cyber security issues affecting retailers include the use of stolen credit and debit cards to create or acquire prepaid cards which can be sold on the Dark Web. These are then used to buy goods and services fraudulently before the owner of the card even realises that they are being scammed. Research suggests that this threat has not yet reached its full potential, with some cyber security experts describing it as one of the fastest growing threats within the retail industry.
WHAT CAN RETAIL BUSINESSES DO TO ADDRESS CYBER SECURITY?
1. Create and implement a data strategy
Every retailer approaches how it collects and stores data differently. Different retailers will have different needs in relation to data and larger retailers will normally have the resources to collect and store more data about their customers. Furthermore, retailers with operations in different countries will be subject to different compliance regulations and legal requirements about how they must handle and secure data.
Because of these diverse data requirements, every retailer needs a bespoke data strategy which outlines how data will be stored, managed and protected, what data threats are common to the industry being operated in and what threats are commonly seen in relation to any IT software or hardware systems in use. An example is if cloud computing is in operation, a retailer will be able to consider what the main threats associated with this are and how these can be managed.
2. Migration of sensitive information
It is advisable to ringfence and migrate data to more secure platforms and systems, once it has been collected. This means that the data can quickly be encrypted and managed by specially trained data loss experts. Once this happens it makes the data less of a target for cyber criminals, who are often opportunists, looking for easy targets. If encrypted data is stolen there is no guarantee that it will ever be successfully decrypted, and this makes the data much less attractive to cyber criminals. Additionally, cyber criminals often identify “easy” targets on the Dark Web months in advance of any attack, so when data is routinely migrated and subject to encryption and data loss prevention strategy, the cyber criminals may be inclined to go elsewhere for richer pickings.
3. Vetting of third-party data controllers
A data strategy should include an element of vetting in relation to how data is managed by third party associates. A retailer, for example may have a solid data protection strategy in place within the UK, but risk data loss and security breaches as a result of third-party use and storage of their data. This is a commonplace scenario where operations are outsourced, because retailers have less control and oversight of the data. It may be being managed in another country by third parties who speak different languages, for example.
In vetting third-party data controllers, systems of international certification in standards like the National Institute for Standards in Technology and the International Organization for Standardization are incredibly useful. Retailers may decide to make certification in certain standards compulsory before any working relationship is entered into.
4. Vetting software and IT systems
Equally a good data strategy will consider any vulnerabilities of the systems in place to safeguard data. Retailers using popular software programs or platforms need to consider any historical data breaches and what steps have been taken by the manufacturers of the software or IT systems to address these.
5. Staff training
Cyber security training is a must to ensure that data is well-protected. Staff handling data on a day to day basis will need to receive basic training about handling data, the risks involved in managing and disclosing data and how to handle data in line with established security protocols. This is especially important because many data laws and data compliance regulators have strict liability approaches to liability for data loss and security breaches, which means that the actions of the lowest paid staff could end up costing a retailer hundreds of thousands of pounds whether this is a fine, or whether it is in lost revenues following a backlash from customers effected by a cyber security breach.
6. Retention protocols
When Toys’R’Us went into administration it had accumulated a massive amount of data in the form of past sales records and other customer data which was used in the launch of the new TruKids brand developed to replace Toys’R’Us. The repurposing of this data was never envisaged when the brand was in operation, but that didn’t stop the retailer’s approach to data retention paying dividends for the new brand in the way that it did.
Many retail businesses will retain data on the grounds that although it hasn’t been useful in the past, innovative ways of manipulating it may evolve in the future, which justifies the cost of storing it. This “hoarding” approach is becoming much more commonplace in the advent of sophisticated methods of data analysis and forecasting, however, historical data or “legacy systems” as they are sometimes called, often become less secure simply because methods of data collection and technology used in the harvesting of data have changed. Retail companies have even been known to lose track of how and where certain types of data is stored. All of this exposes a retailer to the risk that stored data will be lost or stolen and what is worse is that loses of legacy data are often only identified “after the event”, when it is too late to take steps to protect the data.
7. Tiered approaches to data access
A good way to safeguard data is to introduce a so-called tired approach to data access. This means that not all employees have the same access to the data that is stored or harvested by the retailer in question. When only certain employees, for example employees who have been more thoroughly vetted, or employees who have received more training are given access to particularly sensitive information, like credit card details or customer email addresses, this reduces the risk that a security breach will occur. The tiered approach to data access can be controlled via a system of password protection which will exclude everyone except those people trusted by the retailer to handle the information safely.
8. Email policies
Companies should have a comprehensive email policy which is circulated among staff and regularly updated. This is because one of the major entry points for malware into a company’s IT system is through email. Emails may then be opened or shared by employees on the retailers’ internal networks. Much of this risk can be reduced with simple interventions such as basic training in the recognition of malware and suspicious or spam emails. Cybersecurity experts recommend that email training should form a part of every new employee’s induction to a new business.
9. Senior information employees
A good way to find out how seriously a business takes data security is to find out if it has a Chief Information Officer. Hiring staff whose role it is to safeguard data and keep abreast of the changing regulations and how successfully these are implemented across an entire organisation can prevent cyber security breaches or mitigate the negative impact of a breach once it has occurred.
10. Security updates and patches
Software and IT systems need to be updated regularly with patches and plug-ins which address security issues. To ensure a comprehensive approach to cyber security, retailers should designate who is responsible to ensure these updates are applied and tested.
11. Industry-wide collaboration
Cyber security experts suggest that retailers should collaborate more often and in more systematic ways to defeat ongoing cyber security threats. Collaborations are often difficult though, due to the competitive nature of retail, particularly e-commerce. However, if some common ground can be achieved, ideas and tips about better security protocols can be exchanged and retailers will be more secure as a result.
Is a future of better cyber security for retailers possible?
Retailers are vulnerable targets for cyber thieves because of their reliance on data, particularly data gathered at the point of sale. Additionally, retailers remain vulnerable to more generic cyber security issues including hacking and scams and there are heavy prices to be paid by retailers who suffer cyber security breaches in the form of lost consumer trust and confidence and also fines from regulators.
That said, there is a lot that retailers can do to protect themselves, including increased vigilance, strict access control measures and training for all employees from the point of induction.
Cyber thieves and scammers are mainly opportunists so if a retail business is well-protected in terms of their cyber security protocols and systems, many thieves will simply move on to an easier target.