Retailers worldwide are attacked more than any other industry — three times more than the financial industry1 — yet seem unwilling to step up their infrastructure and security programs to meet not only current but future threats in cybersecurity looming on the horizon. Perhaps the paltry 19% of consumers that say they’ll avoid the brand after a cyberattack isn’t enough of an incentive. Maybe it’s executive fatigue — 55% admitted that they haven’t invested any capital funds in cybersecurity protection over the past 12 months, according to a recent KPMG study.2
According to public sources, Target was compromised via a third-party supplier in 2013 (40 million credit card records were stolen); Sony Pictures Entertainment was allegedly hacked by a nation-state, resulting in the release of one unreleased film, the postponement of another and terabytes of sensitive data leaked. Then there’s the examples of the Home Depot, Yahoo and Sears data breaches affecting millions of people. Breaches are now becoming a more common occurrence, but the companies themselves appear unaffected and their boards and CEOs do not seem to be visibly impacted financially. Do retailers not worry about their customer’s PII or their longer-term brand and reputational impact?
Credit Trumps Cash, But Contactless Trumps Credit When It Comes To Cybersecurity
Cash is going by the wayside, as 80% of consumers reach for credit cards and debit cards in equal numbers for both online and instore purchases.4 While EMV (chip) credit and debit cards create a unique code, or cryptogram, when inserted into a merchant's POS terminal, they can create a false sense of security — a consumer’s credit card information is still in view while the terminal reads the chip. It’s simply not enough.
How do we bolster protection? We may be seeing cards going the way of cash over the next few years and contactless apps reach the tipping point of adoption. Convenient, faster mobile wallets, which hide credit information and can be authorized with fingerprints, are gaining strength as the safest way to pay. Why? Mobile wallets create a random, one-time number for every transaction that’s not valid after that use. Android Pay, Samsung Pay and Apple Pay use this process, called tokenization. Apple has benefited, garnering the highest retailer acceptance rate at 36%, according to survey data from the retail consulting firm Boston Retail Partners.5
Attackers Exploit Weak Data Protection, Innovative Technology And Outdated Architectures
Threats come from all sides — hackers will continue to exploit common vulnerabilities in systems ill-designed to protect personal data, but also will evolve to push through new holes that pop up in innovative technologies, and more pervasively, outdated IT infrastructures that don’t provide end-to-end defense in depth.
Personal data are the jewels that attract thieves. Cyberthieves are upping their game from POS exploits to a richer, more valuable trove of personal data that loyalty and mobile payment programs bring into retailer systems — names, mailing addresses, phone numbers and email addresses. They are shifting their focus to the online segment where prey is richer and weaker. In fact, online fraud attacks surged 137% between Q2 2015 and Q1 2016, according to fraud detection and protection solutions provider Forter.6
New technology also can present new threats. For example, as retailers adopt machine learning systems that analyze vast troves of data to support personalization based on purchasing patterns across channels, there are more points of vulnerability. At the same time, new technologies can really help. For example, adopting a trustworthy, secure cloud-based POS provider (like Shopify, Vend or Toast) that can make investments in innovations that stay ahead of hackers raises the bar for everyone.
The largest threats, however, may be outdated architectures most retailers are constantly building upon. Waves of technology solutions, from chip-enabled EMV cards to decision intelligence applied to both personalization and fraud monitoring, are layered atop of aging infrastructures, where often even the basics of security protection aren’t being addressed. Outdated systems supporting distributed and hybrid retail environments, combined with new endpoints like IoT, POS, kiosks and WiFi, increase the attack surface and open retailers to exploits that are hard to detect. For example, third-party service providers may have access to serve a functional component, including POS, physical security systems or HVAC that provide a back-door vector to ingenious attackers.
The Best Practices Imperative
Remember, we still have a lot to do at the very basic level. According to the 2016 Verizon Data Breach report,7 the top 10 exploits still account for 85% of attacks. Avoiding disaster also depends on recognizing the warning signs and criminal patterns: 95% of breaches and 86% of security incidents fall into nine established exploit patterns.
Best practices in cybersecurity range from getting the right governance from the C-suite to building the right programs to executing with excellence in operations.
C-Suite Governance And Business Value Of Cyber Programs
It’s vital to go beyond the CISO and CIO to garner the right attention and funding for stronger programs from the C-suite. These members include: legal, CMO, CCO, CFO and the CEO. In doing so, it’s important to tell your cybersecurity story in terms that executives can understand, and show how your program will lower risk to business strategies.
Security By Design: Programs and Architecture
Holistic Security programs move beyond PCI compliance. Retailers should build security programs and architectures that support end-to-end software encryption, beyond simple authentication. In addition, it’s important to stay on top of and leverage new technologies like artificial Intelligence that can improve detection of malicious security attacks. MIT's Computer Science and Artificial Intelligence Lab and AI technology firm PatternEx are starting to leverage machine learning to significantly improve predicting cyberattacks than existing systems.8
Operational Execution: Do The Basics
Attackers are less likely to gain access to your systems when applications and databases are segmented and compartmentalized. In fact, Verizon found that most attacks exploit known vulnerabilities that businesses failed to patch, despite software providers making patches available months or even years prior to the breach taking place. Also, retailers should use a governance, risk and compliance (GRC) system to monitor issues and incidents and address mitigation actions to close out vulnerabilities. This strategy can be a very effective way to ensure that no issues are left unaddressed.
Success In Retail Security Takes Vigilance. It’s A War.
Cisco’s 2017 Annual Cybersecurity Report9 states that only 54% of retailers managed public scrutiny due to a security breach — we are doing only half the job. Consumers are increasingly concerned about privacy and are looking to retailers to build the trust required to make this a truly collaborative partnership that benefits them as well as retailers.10 Get future-ready and gain the advantage!
Yo Delmar is Vice President – GRC Solutions for MetricStream. She has more than 30 years of experience in Information Technology and Management, with a focus on Governance, Risk and Compliance (GRC) over the past 10 years. Prior roles included Director, GRC, EMC Consulting, Delmar where she launched GRC Advisory Services for the Security and Risk Management Practice of EMC’s consulting division. Through her own company, Delmar Consulting, she has held executive positions at several GRC and Security Risk Management companies. She has provided advisory services to F1000 on the implementation of IT and GRC programs for several decades.
http://www.nextadvisor.com/blog/2015/06/29/how-pay-for-your-purchases/ - surveyed 500 people ages 18 and older and found that 42% of respondents prefer to pay with a debit card and 38% reach for their credit card.