More than 80% of the world’s consumers now shop online, providing retailers with more consumer data — and better information and insights — than ever before.
Although this is a boon for ecommerce, customer engagement and digital experiences, it’s also a security risk for retailers to take seriously as data breaches grow more common and costly every year.
Yet despite heightened risks, many retailers still put off proactive measures, skimp on security infrastructure and fail to invest in vital technology tools until after a breach occurs. By that time, the damage has taken its toll on a company’s reputation, consumer trust and the bottom line — leaving retailers with a bill larger than the cost of preventive security measures.
In today’s precarious environment, being prepared for a cyberattack is mission critical.
How Data Breaches give Malicious Actors a Big Payday
All of the online information that retailers collect, analyze, and use to complete an order — names, location, shopping preferences and shipping addresses — also helps to inform everything from product recommendations and checkout reminders to notifications about deals and discounts, creating personalized customer experiences throughout the ecommerce journey.
For the retailer, necessary consumer data provides crucial insights for nearly every part of the organization. For example, merchandising teams can preemptively stock popular items, sales can drive new leads and revenue streams, and marketers can build better brand loyalty and digital engagement.
However, while consumer data is necessary for basic ecommerce functions, it’s also valuable to the malicious actors who’ve become fixtures in the digital environment. Cybercriminals who successfully breach retailers’ defenses may not only steal account information and other financial data but also exploit information about individuals and their online behavior to carry out increasingly sophisticated social engineering attacks.
Consider a bad actor who gains access to checkout information: If the hacker knows that a customer added a pair of jeans or a sweater to their cart but didn’t end up buying the items, they can devise a fake advertising campaign that features the exact color and size of the clothes, offering a deal too good to pass up and tricking the customer into paying for items that will never arrive at their door.
These types of social engineering attacks take advantage of human emotions like trust, familiarity and shoppers’ eagerness for a great deal — and they are incredibly effective. In fact, social attacks like phishing and pretexting are among the top attacks targeting the retail industry, and they’re growing more prevalent. Although it may sound scary, retailers aren’t defenseless against threats.
How Retailers can Secure Their Consumer Data
To optimize the ecommerce benefits — and minimize risks for retailers — a balanced approach to obtaining, using and protecting consumer data without intruding on people’s privacy or disrupting their digital experience is essential.
While there’s no silver bullet solution to striking the right balance between data security and data-driven innovation, consider the following security strategies to help protect and secure consumer data.
- Adopt a proactive security mindset. Every security component requires an upfront cost — but it’s surprising how many C-suite leaders still view proactive measures as a sunk cost rather than an investment in their business. When organizations attempt to save money by neglecting cybersecurity, it’s almost always a short-sighted approach.
Instead of waiting for threats to materialize, adopt a proactive approach to cybersecurity that prioritizes ongoing improvement, continuous learning and tangible steps to strengthen data security across the enterprise. A good first step is ensuring your security configurations meet cybersecurity best practices set by the CIS Benchmarks. From there you can implement more advanced defenses, such as automated risk assessments and data insights into your security systems and infrastructure.
If there’s pushback in your organization or someone suggests cybersecurity improvements can wait, remember that the average impact of a data breach continues to increase and now costs retail companies $3.28 billion.
- Ensure defenses are activated from start to finish. As soon as customers land on your site (and even before), they generate data that’s useful to you and, unfortunately, malicious actors. That’s why it’s vital to ensure you have security tools in place that can verify users, identify threats and block attacks before a transaction takes place.
To start, ensure your web application firewall is correctly configured according to Open Web Application Security Project (OWASP) standards, which will help monitor and filter web traffic and prevent path traversal attacks that originated from outside your site. In addition, session tracking can help determine whether online behavior (such as searching for products or adding items to a cart) matches user profiles or appears suspicious. Layer security measures that are active from the time customers first search your site to the time they finally log off.
- Support seamless cybersecurity measures. More than 80% of consumers have abandoned their cart or sign-up attempt due to a burdensome login process. The trick for retailers is to embrace tools that protect consumer data and safety without adding friction to the experience. Click to Pay, for example, allows shoppers to pay without reaching for their card or typing in payment details.
Authentication is another place to start, with advanced behavioral analytics and passive biometrics tools that turn user verification into a seamless process. Behavioral biometrics analyze users’ online patterns and behavior — how quickly they type, the way they move the mouse, or where they log in from — to detect and identify suspicious behavior and trigger additional security measures, if necessary.
Meanwhile, trusted users sail through your site without the need for cumbersome authentication steps. With seamless security solutions, retailers can optimize and personalize customer experiences without gathering personal information and compromising sensitive data.
- Know what data you need to collect — and what data you don’t. Every bit of personal information your organization collects, stores and maintains is an additional vulnerability that malicious actors can exploit. You can limit potential risk by scaling back the amount of data you collect and incorporating privacy into every part of the technology stack.
Data privacy should be part of a broader commitment to data responsibility, and it’s become even more pertinent as more jurisdictions (including Europe, India, and U.S. states like California, Colorado and Virginia) move ahead with data privacy regulations.
As the regulatory landscape changes — with more stringent rules for the protection and storage of personal data — now is the perfect time to reconsider what data you collect, why you collect it and what you are doing to keep it safe.
Cyberattacks have become more advanced, but so have the security tools at your disposal. You don’t need every new security solution on the market, but you do need the right tools, infrastructure and strategies to protect your customers and their data. How are you getting started?
Justine Fox (they/she) joined NuData Security in 2014 as a DevOps Administrator. When Mastercard acquired NuData in 2017, Fox was one of the early champions of the integration process, often working closely with stakeholders to adopt the Mastercard Way and align development practices. Fox transitioned from a Director of Software Engineering role to a Principal Product Manager – Technical role at the end of 2021. Fox focuses on developing the digital devices and IoT product ecosystem while specializing in systems integration, DevOps engineering, site reliability engineering and data enablement.