How Retailers Can Build ‘Forgivability’ to Survive a Cyberattack

Ecommerce fraud exploded during the COVID-19 pandemic as online shopping gave cybercriminals more targets. The average volume of successful monthly fraud attacks increased exponentially in 2020 for mid- and large-sized U.S. retailers, jumping 43% to 48% when compared to 2019.

Criminals are also becoming more savvy. NuData, an online security firm owned by Mastercard, reported that 76% of attacks on retailers in the second half of 2020 were qualified as sophisticated, meaning they were harder to detect and increased the likelihood of a large breach. Those more cunning attacks were up 35% from the prior year.

With an estimated 2.14 billion people worldwide now buying goods and services online in 2021, retail sectors will continue to be increasingly prominent for cybercriminals looking to steal money, goods and large amounts of personal identifiable information. While any breach can be difficult for a brand to handle, it can be particularly devastating for smaller businesses operating with lower margins. Although retailers can and should take all possible preventative measures, there is always an inherent risk to customers’ accounts.

That is why establishing trust and building “forgivability” with consumers can protect a retailer’s brand long term — and its bottom line — should something go wrong. Forgivability means establishing a trusting relationship with customers so that they know your company has important measures in place to both prevent a cyberattack and to resolve matters quickly if a breach does occur.


Consumers generally know that doing business in an electronic world comes with a certain amount of risk. The question for shoppers is whether the company they have chosen to trust with their business is doing everything possible to protect their personal information. The answer to that question could be the deciding factor in whether a brand survives a breach. A great example is the difference in how victims reacted to the massive Target data breach in 2013 versus the infamous Equifax breach just a few years later.

When Target discovered that cybercriminals had managed to infiltrate its corporate network, within weeks executives called in a third-party forensic team to investigate the cause of the breach, removed malware from its store registers, and then notified customers that their credit and debit card information may have been compromised.

In contrast, in 2017, attackers stole the personal information of at least 145.5 million Americans because of a security hole in Equifax’s servers that executives knew about and chose not to fix. Furthermore, it took more than four months for Equifax to even discover the breach and cut off cybercriminals’ access to customer data since the company was not vigilantly watching for cyberattacks.

It is not difficult to see the difference in how these two companies handled things. While Target’s breach did cause a temporary public relations problem for the brand, it was due to a third party, which is far more difficult to detect. Customers ultimately seemed to understand that cyberattacks such as that one are difficult to entirely prevent and continued shopping at Target. Equifax, on the other hand, will be dealing with brand damage for years to come. By displaying negligence both before and after hackers breached its servers, the company was not well positioned to be easily forgiven by its customers.

Here are three important steps retailers can take to protect their brands against the next cyberattack and build forgivability with customers.

1. Tighten up your security infrastructure: As evidenced by the Target and Equifax incidents, customers are much more likely to forgive a breach if they know your company had every measure possible in place to prevent it. Strong enterprise security requires multiple layers to confirm that your customer’s information is safe across all channels, including mobile devices. Invest in more than just meeting the basic standards. If an attack does occur, be transparent with your customers about how it happened and the measures you’re putting in place to mitigate any future risk.

2. Reiterate the importance of cybersecurity measures to employees: Make sure your entire team understands the importance of cybersecurity to both your company’s reputation and your financial well-being. Many corporations may choose to hire a Chief Information Security Officer (CISO); however, this is not the only person on the team who should be making cybersecurity a priority. Every employee should understand the importance of protecting customers’ data and the steps needed to enable strong enterprise security. Your security culture cannot rely solely on your IT department; it is a team effort. It is recommended to get your employees engaged and implement a solid cybersecurity training program so they develop a high security IQ and are invested in defending your company against attacks. 

Employees are one of the most important parts of a company’s security equation. They are like the firewall against a number of common types of cyberattacks, including phishing and social engineering. A good security program isn’t just a pile of stacked security technology, it is a trained team that is constantly vigilant and ready for the next threat.

3. Communicate cybersecurity measures to customers: Communicate with your customers regularly and educate them on cybersecurity risks and the steps they can take to protect themselves. Emphasize the importance of using unique passwords; the reuse of passwords across multiple accounts is exactly why accounts are sold on the underground. Additionally, phishing continues to walk hand-in hand with use of stolen credentials in breaches as it has in the past, according to the 2021 Verizon Data Breach Investigations Report, and is expected to increase due to a larger remote workforce.

Educating your customers on the importance of picking strong, unique passwords cuts down on risk and also helps build forgivability if a breach does occur. Send regular reminders to your customers letting them know that you care about their privacy, and also giving them tips and tools to protect themselves. Education breeds knowledge and understanding, and therefore forgivability.

Forgivability is going to look different for every company and brand. It is shorthand for a mix of communication, transparency and tough love to establish trust. Forgivability will be earned once customers understand that security is always a company’s top priority and that they are constantly working to improve security measures and protect their personal information. Although cyberattacks will continue to happen, it is often the response to an incident that people will remember long-term.

Dan Holden is VP of Cybersecurity at Open SaaS ecommerce platform BigCommerce.

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: