In a recent conversation with the chief information security officer for a major retailer, I heard something that changed my perspective on the true impact cyber incidents can have on companies. He said, “At the end of the day, we sell basic consumer goods and people can go anywhere to get those things. It all comes down to who the customer trusts.”
He’s right. In the age of Amazons, eBays and Etsys of the world, consumers are shopping all day, every day. Price isn’t as much of a factor, nor is in-store selection or a particularly friendly sales associate. Instead, one of the biggest factors in choosing which retailer to buy from is reputation. And today, there's no bigger threat to a retailer's reputation than a cyber breach that compromises customer data.
Yet, the Ponemon Institute’s 2015 Cost of a Data Breach study found that data breaches in the retail industry are responsible for compromising nearly 240 million personal records since 2011. Even scarier is the fact that the retail industry was responsible for nearly 80 percent of records stolen in data breaches in 2014. While the cost of personal records remained constant for many industries, the retail sector saw an increase from $105 per record in 2014 to $165 in 2015.
Target, which reported the theft of 40 million credit card accounts following a December 2013 breach, immediately became the poster child for retailers failing to protect personal information. Although Target’s share prices only slightly dipped following its breach, the breach cost the company around $236 million, its profit fell 46 percent in its fourth fiscal quarter of 2013 and was down by almost a third for all of 2013. Target is just one of a growing list of both large and small retailers whose breaches have impacted millions of consumers, and have suffered the inevitable aftereffects of a loss of consumer confidence. That group includes Home Depot, eBay, Neiman Marcus Group, the TJX Companies and retail vendors like PNI Digital Media.
The increasing digitalization of consumers’ shopping experience makes retailers even more vulnerable to attack. The Internet of Things has enabled devices to anticipate consumer needs and order things on their behalf. As the industry shifts from brick-and-mortar stores into providing more of the online options that consumers expect, retailers are also facing new challenges to balance innovation and consumer convenience with the risk posed by an increase in digital records and consumer expectations that they’ll be secure.
Cybersecurity is a risk that affects retail organizations of all sizes. While Home Depot might be a more obvious or immediately lucrative target for a hacker because of the amount of data it holds, mom-and-pop retailers and other small businesses are still attractive targets for hackers, and in some cases are prone to larger and more sophisticated attacks because their cybersecurity defense is less sophisticated.
In addition, while enterprise retailers have the advantage of annual revenues that make even astronomical breach-related costs seem like a rounding error, an equivalent breach on a small, midsize or local retailer can be devastating. Many retailers have reacted to data breaches when they occur — often by alerting customers and implementing free credit monitoring — but the steps taken do little to rebuild trust with affected consumers. It’s clear the retail industry is still long overdue for implementing proactive steps to address cybersecurity as a critical business risk that could affect it any day and cause incalculable damage.
Any organization’s culture of security starts at the top. Board members and executives need to make cybersecurity a top priority before they can expect their employees to do so. A recent New York Stock Exchange (NYSE) survey of more than 200 corporate directors found that 80 percent say cybersecurity is either an agenda or discussion item at their board meetings. While that’s an encouraging statistic, it remains difficult to see that prioritization in business practices.
Too many retailers are still treating cybersecurity as a technology issue relegated to the chief information security officer or the IT lead. Too few businesses are treating it for what it is: an enterprisewide risk that impacts all aspects of an organization and requires both strategic and tactical expertise and focus. Involving the board is a step in the right direction. In fact, Ponemon’s report found that board involvement reduces the cost of data breach records by $5.50 per record, not an insignificant amount.
The increasing value of customer records and the ease with which they can be stolen means retailers need to step up their cybersecurity policies and procedures. It won’t happen overnight, but retailers must start implementing the right culture, policies and procedures to stay ahead of cyber threats. A retailer’s reputation — and bottom line — depends on its ability to maintain consumers’ trust, which includes protecting personal information from breaches and attacks. More importantly, board members and executives of retail companies, whether small or large, must be accountable for the potential impacts increased network connectivity and software-driven efficiencies can have on their operations. Creating awareness and fostering literacy among boards and executives around cybersecurity will help the retail industry better defend itself and its customers against future breaches.
Simone Petrella focuses on product development and delivery of training and education curriculums at CyberVista, a cybersecurity education and workforce development company.
Related story: What Modell's is Doing to Protect its Customers’ Data