By Brian Lapidus, Chief Operating Officer, Kroll Fraud Solutions
To prepare for the 2009 holiday shopping season, retailers need to check their list twice to ensure the proper security measures are in place. Their customers and bottom line will thank them!
With the dire predictions of flat sales and increasingly selective shoppers, retailers must feel as though they are fighting an uphill battle this holiday season. They are slashing prices and offering incentives in an effort to attract and retain a wary customer base with a limited holiday budget. And yet, even in the midst of this battle, retailers would do well to devote extra time to data security.
The holidays are always a time of heightened risk, businesses that experience online fraud or a loss of customer data are almost never able to avoid the reputational costs. But in light of the economic downturn, breached companies may suffer more than in years past. Consumers’ willingness to walk away from a business they deem risky seems to be growing. Lost business is the most costly effect of a breach, averaging $139 per record compromised, according to a 2008 Ponemon study. Lost business now accounts for 69% of data breach costs, up from 65% in 2007 and 54% in 2006.
This holiday season, retailers should give their customers the gift of data security. Utilizing extra safeguards and following a strict security policy ensures customer trust and, ultimately, builds strong customer loyalty. The following are a few simple measures that retailers should include on their data security checklist this holiday season:
Properly screen holiday staff
As with all employees, temporary workers have access to a wide variety of customer data, yet oftentimes organizations do not screen these employees as thoroughly as they do their fulltime staff. Organizations should avoid opening themselves up to a big security risk for what might amount to minimal savings at the outset by conducting thorough background checks of all employees.
Educate employees about the signs of fraud
From point of sale to internal computer servers, retailers should provide security training to employees and remain up-to-date on the latest scams and techniques. Customers may be hesitant to seek a company’s services if it has recently had a phishing scam linked to its brand, or it is reported that skimming devices were found on registers at one of its stores. It’s a known fact that fraudsters target retail outlets more during the holiday season, so it is important for retailers to remain vigilant and encourage their employees to do the same.
Prepare IT departments for the increase in online holiday traffic
In today’s economy, many retailers receive a significant portion of holiday revenue from online sales. Thieves are well aware of this fact and take advantage of the high traffic volumes that occur during this time of year to fly under the radar. Hackers can steal payment card data, compromise customer accounts and reroute shipments of merchandise, making the encryption of sensitive data an essential defense. Companies should avoid making changes to network systems during this time of year and closely monitor network traffic, including internal data flow. However, this is no time to skimp on security systems updates or overlook processes that are in place to protect data collected electronically.
Use caution when obtaining customer data
In today’s era of aggressive marketing, it pays to know your customer. As a result, most retailers make a habit out of collecting customer information, including home and email addresses, phone numbers, credit card information and more! Identity thieves know this fact very well — in fact, it is perhaps the primary reason why retailers are such popular breach targets. Retail companies would be best served by taking a step back to evaluate the types of information they collect with a specific look at how and why it is obtained, used and stored. Companies should store data sparingly and when they do decide to dispose of sensitive personal information, they should do so safely. Remember, identity thieves can’t steal what you don’t have.
Comply with the FTC’s Red Flags Rule
Not all retailers fall under the Red Flags Rule requirements, but don’t make any assumptions. The FTC has made it clear that some retailers will in fact fall under the definition of a “creditor” that handles “covered accounts” — generally speaking, any scenario where customers are allowed to take merchandise before payment is made. The FTC has once again delayed enforcement of the rules until June 1, 2010; however, this shouldn’t deter retailers from making plans. Now is the time to begin building a compliance program — or, at the very least, adding it to the list of New Year’s resolutions.
Perhaps the most important advice is to simply remain vigilant. After all, retailers aren’t the only ones who view the holidays as the “busy season.” Hackers and thieves recognize that this is the perfect time of year to steal data. Retailers focused on meeting consumer demand can’t afford to overlook appropriate precautions, or the high volume of transactions that make them a ripe target for data thieves
As chief operating officer for Kroll’s Fraud Solutions practice, Brian Lapidus has unique frontline experience helping a wide variety of corporations and organizations safeguard against and respond to data breaches. He is particularly knowledgeable about the many security gaps – physical, procedural and electronic – common to many U.S. companies and organizations, as well as the criminal landscape where stolen identities are bought, sold and used. At Kroll, Lapidus oversees a highly-skilled team that includes veteran licensed investigators who specialize in supporting breach victims and restoring individuals’ identities to pre-theft status.