14 Nov Cybersecurity and Retail: the challenges – and how to meet them
Now that retail has turned omnichannel, the emphasis is on delivering a smooth, seamless customer journey. But is that journey a safe one? From point of sale protection through to compliance-friendly data management, here’s a closer look at the cybersecurity issues that ought to be on the radar of every retail brand.
Keeping the customer satisfied: why cybersecurity matters…
You couldn’t have failed to notice that your customers are everywhere. From your website and in-store support portals through to your dedicated app (not to mention your assorted social pages), customers expect to be able to flip between multiple channels with ease.
The ability to ‘make it personal’ is also essential. Research from Salesforce suggests that 75% of consumers and 88% of business buyers look for a consistent experience across every channel. So if customers are forced to start from scratch with each conversation, it does the brand no favours from a service perspective.
A new way of doing things demands a fresh look at cybersecurity. For one, there’s your attack surface to consider. Multiple channels mean multiple entry points. There’s a line to be tread between offering customers the ability to communicate with you or to log in to their accounts with absolute ease on the one hand, as opposed to exposing their details to unauthorised outside access on the other.
Coupled with this is the sheer amount of potentially valuable data that modern retail tends to generate. Take the typical customer relationship management (CRM) system, for instance. Featuring a one-stop-shop of juicy info on your customers’ buying behaviour, communications, financial records and other sensitive data, it can represent rich pickings both for outside threat actors and for rogue insiders.
Perhaps most importantly, customers themselves increasingly take the whole cybersecurity ‘thing’ seriously. PSFK Lab in partnership with Mastercard found that 89% of consumers expect stores they do business with to stay up to date with the latest security technologies. 91% of consumers told RSA that they prefer to deal with service providers who make security visible to them.
The ability to keep data secure shouldn’t be a peripheral backend concern. Instead, it’s worth putting security at the heart of your brand promise – and making sure you have the tools and processes in place to deliver on that promise.
The threat landscape for retailers
Two recent high-profile breaches illustrate what retailers are dealing with. At the end of April, it emerged that the personal data of 26,000 Debenhams customers had been compromised as a result of a malware attack on Ecomnova, which runs the department store’s online florist service.
Outsourcing – whether it’s your dispatch process or online chatbot facility – is increasingly par for the course in retail. But from both a reputational and, potentially, a compliance perspective, if a third party failure causes data to be compromised, it can be your brand that ends up carrying the can.
Talking to Computer Weekly about the Debenhams breach, ZoneFox CEO, Jamie Graves spoke of the importance of due diligence, i.e. that “third-party vendors you partner should be properly vetted to ensure they have secure systems in place”. Alongside this sits the need for “360-degree visibility over all your data flow”, so that breaches, whether third party or not, are identified and addressed as quickly as possible.
Meanwhile, customer data is not the only part of your IT estate in the sights of criminals. Strategy docs, sales projections, IP – and as the recent incident involving Sports Direct illustrates, HR data: these are all potentially in the frame. In this instance, the ‘way in’ was an unpatched staff portal. Hackers infiltrated it to find a treasure trove of unencrypted staff data, including names, addresses (postal and email) and telephone numbers – in other words, precisely the type of information that can feed spear phishing and social engineering campaigns. Although the retail giant reported the incident to the Information Commissioner’s Office (ICO), they didn’t tell their staff; a decision that, if it had been made post-GDPR, would almost certainly be deemed unacceptable.
This year’s Global State of Information Security Survey from PwC found that the biggest players in the retail and consumer sector suffered an average of 4,000 security incidents in the previous year. 16% of organisations had suffered losses of more than USD 1 million as a result of these incidents. In August, Infosecurity reported that the number of UK retailers experiencing serious, reportable breaches had doubled over the past year.
The threat faced by retailers is on the up – yet despite this, PwC suggests that only 58% have an overall security strategy in place to meet it.
Meeting the threat
So how do you avoid falling into that 58%? We’d suggest the following approach…
Put compliance at the forefront of your strategy
From ensuring that consumers are able to exercise their new rights of data portability, through to redrafting your consents, the upcoming General Data Protection Regulation (GDPR) provides plenty of food for thought for retailers.
On the cybersecurity front, there’s a general duty to be proactive; to ensure ‘privacy by design’ is hardwired into your systems and processes – and to ensure buying decisions are made with the ‘state of the art’ in mind. GDPR demands a full audit of your existing procedures – and if you are yet to get to grips with it, our resources page could be a useful starting point.
Ensure all channels and endpoints are protected
The new compliance landscape raises the importance of fit-for- purpose data mapping. What data do you hold? Where does it reside? What measures are required to ensure it is secure? A multi-channel sales and marketing presence demands that you ensure each channel is afforded the right type of protection.
At the same time, don’t overlook legacy systems. For instance, although SonicWall reported a welcome decline in the incidence of Point-of-Service malware attacks, it remains as important as ever to have a process in place to ensure patches are rolled out to scattered endpoints. Formalised patch management procedures become even more important as your IT estate grows.
The value of education
Ransomware – i.e. the forced lockdown of systems accompanied by a demand for payment – is on the increase. Whereas 3.8 million ransomware attempts were detected in 2015, that figure had ballooned to 638 million last year. The likes of Petya and WannaCry made headline news this year – something that your customers could not have failed to notice.
Although different in design and delivery, ransomware and phishing attempts have something important in common: they require activation by an insider. Can your people tell when they are being ‘socially-engineered’? Do they know what should and shouldn’t be accessed and clicked on? Educating your people and building a culture of security awareness should be a top priority.
Aim for full, meaningful visibility
A single credit card record can be worth anything between USD 5 and 50 – and a haul of multiple customer account records can represent a jackpot for any would-be hacker. Likewise, don’t discount the possibility of an insider going rogue. Take, for instance, the example of the disgruntled Morrison’s employee who got his own back on the company by ‘lifting’ the entire payroll database and leaking it to the press. The episode cost the supermarket an estimated £2 million to fix.
Applying the principle of least privilege can help you here; ensuring that sensitive data is siloed so that staff have access only to those parts of your estate necessary to do their job. But it’s worth noting that the Morrison’s employee was an IT auditor; a keeper of the keys with full access. In other words, privileged users can be potentially problematic, too.
What’s true of your outsourced sales enquiries team also applies to your senior accounts staff. Their behaviour is predictable. The way in which they use the brand’s CRM, the files they access at what time of the day and where from: all of this tends to follow a pattern. Have a system in place that recognises this and that alerts you the moment there is a deviation from the norm and you have the ability to spot potential problems before they blow up. It’s precisely the type of functionality that can help both with spotting errant insider behaviour and outsiders with unauthorised access.
To discover how Behaviour Analytics can help in strengthening your retail brand’s security credentials, speak to Zonefox today.