From a risk and compliance perspective, defense, finance, tech, and healthcare are generally thought of as the “riskiest” industries — but the retail sector is more vulnerable than it might appear. Organized retail crime (ORC), fraud rings, evolving regulations and other challenges all have the potential to cause significant disruption in the retail sector, and most retailers have invested considerable time and resources to mitigate them. Unfortunately, today’s retailers need to recognize that the industry has become a prime target not just for regular criminals but for cybercriminals, too.
Retailers don’t always take cybersecurity risk as seriously as they take other forms of risk. Business leaders don’t always want to approve the budget needed for another cybersecurity solution they don’t really understand, and they may not want to implement new security procedures that create unnecessary friction or don’t help sell widgets.
That’s a mistake — one that risks leaving the retail industry perilously exposed. But no store would tolerate that level of exposure with its credit card readers — or worse, with its food safety protocols. The reality is that cyber risk is just as serious as financial risk, food safety risk and other dangers — and it’s time we started acting like it.
How Retailers Address Standard Risks
Consider the most common risks retailers face. Naturally, shoplifting is the first thing that comes to mind — retail theft is common enough that most stores build an expected level of loss into their bottom line in the form of shrink. It isn’t realistic for stores to catch every shoplifter, but they can (and do) take steps to significantly reduce the ability of ORC groups to operate at scale. Retailers invest heavily in loss prevention personnel, surveillance devices, electronic sensors and other security measures designed to make stealing as difficult as possible — and they mostly succeed. The National Retail Federation notes that while retail crime is still an issue, progress is being made — and retailers have been working aggressively to address the problem.
Advertisement
Card skimmers are another common way for criminals to target retailers, and they are regularly found at gas pumps, self-checkout stations, ATMs and other point-of-sale terminals. The FBI estimates that skimming costs consumers and financial institutions more than $1 billion every year — and while that money may not come directly out of the retailers’ pocket, the blowback can be significant.
Retailers that fail to regularly check their POS terminals for evidence of card skimmers and remediate the issue immediately may find their card processing fees raised and angry regulators knocking on their door — not to mention the reputational damage they will suffer. Retailers have standard procedures in place to check for evidence of card skimmers, and an employee who fails to notice (for example) a broken seal on a compromised gas pump can face severe consequences.
Mitigating those risks is important — but food safety might be the most important of all. There are very stiff penalties associated with poor food safety compliance, and retailers that sell consumables are extremely diligent about checking expiration dates, monitoring for recalls and adhering to industry best practices.
When Boar’s Head recalled a wide range of deli meats amid a listeria outbreak last year, retailers didn’t just remove the meat from stores — they closed entire locations for cleaning, ensuring no surface that may have come into contact with the offending products were contaminated (how’s that for product shrink?). When it comes to risks involving product theft, financial losses or food safety, retailers are almost always on the ball — so why is cyber risk treated differently?
The Impact of Cyber Risk – and How to Address it
Part of the problem is that retailers don’t face the same B2B pressures that other businesses do — they sell directly to customers, who are much less likely to ask for a clean SOC 2 report or ISO 27001 certification. But that doesn’t necessarily make those compliance frameworks less important — both provide helpful guidance for securing data in the cloud, where retailers are almost certainly storing valuable customer information.
Similarly, retailers and other B2C businesses may feel less urgency around breach notification, but recent updates to SEC guidelines on cyber risk management mean breaches now need to be disclosed in a timely manner. Retailers that lack the tools to engage in reporting and documentation increasingly risk running afoul of regulators.
Retailers — like nearly all modern businesses — gather a significant amount of data. That data is valuable: it helps businesses learn more about their customers and improve the quality of their offerings. But it also represents a high-value target for cybercriminals looking for personal information, payment data or credentials they can leverage to compromise other, more valuable accounts (unless you use a password manager, there’s a pretty good chance you didn’t bother thinking of a unique password for the rewards program at your local grocery store).
Even on its own, customer data can reveal quite a bit. There’s a reason targeted advertisements are as effective as they are, and it makes that data extremely interesting to cybercriminals interested in identity theft and other malicious activities.
The risks at play are not theoretical — they are quantifiable. Card skimmers may cause $1 billion a year in losses, but cybercrime causes more than a dozen times that number. Retail is the fourth-most targeted industry, trailing only finance, professional services and technology, and the average cost of a data breach in the retail industry is now $3.48 million — a jump of more than half a million dollars from the previous year.
Today’s attackers see retailers as an attractive target, one that may be easier to crack than healthcare providers or financial institutions with more protections in place. If retailers aren’t investing in security solutions and don’t see the value in adhering to compliance frameworks, make no mistake — attackers will smell blood in the water.
So what should retailers do about it? If recognizing the value of risk management is the first step, the second step is implementing solutions that allow retailers to understand how certain risks impact their digital environments. That means having a centralized way to view security risks, compliance risks and other factors that can impact the organization’s overall risk profile. By improving visibility into how those risks can potentially affect the organization, it becomes easier to quantify the impact of different decisions—and that can help security, IT and risk management teams speak the language of business.
By approaching business leaders with hard numbers about the financial impact, regulatory implications and other factors when seeking to implement a new security solution, adhere to a new compliance framework or establish a new risk management process, security teams can help demonstrate their value to the business’ bottom line.
It’s Time to Treat Cyber Risk Like Food Safety Risk
No retailer would ignore the threat of credit card skimmers or food safety risks — but many fail to treat security and compliance risks with the same level of import. Unfortunately, poor risk management practices can be just as damaging as ORC, fraud rings or food safety violations — if not more so.
Cybercriminals increasingly recognize that retailers don’t protect their digital environments with the same level of care as financial institutions, healthcare organizations and other traditional targets — despite having mountains of data that are every bit as valuable. With the financial impact of security incidents becoming more severe with each passing year, the time for retailers to act is now.
Strong risk management isn’t optional for retailers anymore — in today’s threat environment, it’s important to know where your vulnerabilities lie in order to make truly risk-informed business decisions. By managing risk and compliance in a holistic manner, retailers can safeguard their digital environments and avoid becoming easy prey for attackers seeking a quick score.
Nick Kathmann is LogicGate’s Chief Information Security Officer (CISO). With more than 20 years of IT experience, he has spent the past 18+ years helping enterprises of all sizes strengthen their cybersecurity postures. He has built and led several teams delivering cybersecurity solutions for complex, business-critical environments ranging from SMB to Fortune 100 companies, based on-premises in traditional data centers and in the cloud. He is also experienced across a variety of specific sectors, including healthcare and financial services. Prior to his current role, Kathmann served as director of cybersecurity at Dell Technologies, overseeing the internal cybersecurity program, among other responsibilities.
