[BreachExchange] It’s Time for Retailers to Take Cybersecurity Seriously … or Pay the Price

Tue Aug 2 19:54:05 EDT 2016

http://www.dealerscope.com/article/its-time-for-retailers-to-take-cybersecurity-seriously-or-pay-the-price/

In a recent conversation with the chief information security officer for a
major retailer, I heard something that changed my perspective on the true
impact cyber incidents can have on companies. He said, “At the end of the
day, we sell basic consumer goods and people can go anywhere to get those
things. It all comes down to who the customer trusts.”

He’s right. In the age of Amazons, eBays and Etsys of the world, consumers
are shopping all day, every day. Price isn’t as much of a factor, nor is
in-store selection or a particularly friendly sales associate. Instead, one
of the biggest factors in choosing which retailer to buy from is
reputation. And today, there’s no bigger threat to a retailer’s reputation
than a cyber breach that compromises customer data.

Yet, the Ponemon Institute’s 2015 Cost of a Data Breach study found that
data breaches in the retail industry are responsible for compromising
nearly 240 million personal records since 2011. Even scarier is the fact
that the retail industry was responsible for nearly 80 percent of records
stolen in data breaches in 2014. While the cost of personal records
remained constant for many industries, the retail sector saw an increase
from $105 per record in 2014 to $165 in 2015.

Target, which reported the theft of 40 million credit card accounts
following a December 2013 breach, immediately became the poster child for
retailers failing to protect personal information. Although Target’s share
prices only slightly dipped following its breach, the breach cost the
company around $236 million, its profit fell 46 percent in its fourth
fiscal quarter of 2013 and was down by almost a third for all of 2013.
Target is just one of a growing list of both large and small retailers
whose breaches have impacted millions of consumers, and have suffered the
inevitable aftereffects of a loss of consumer confidence. That group
includes Home Depot, eBay, Neiman Marcus Group, the TJX Companies and
retail vendors like PNI Digital Media.

The increasing digitalization of consumers’ shopping experience makes
retailers even more vulnerable to attack. The Internet of Things has
enabled devices to anticipate consumer needs and order things on their
behalf. As the industry shifts from brick-and-mortar stores into providing
more of the online options that consumers expect, retailers are also facing
new challenges to balance innovation and consumer convenience with the risk
posed by an increase in digital records and consumer expectations that
they’ll be secure.

Cybersecurity is a risk that affects retail organizations of all sizes.
While Home Depot might be a more obvious or immediately lucrative target
for a hacker because of the amount of data it holds, mom-and-pop retailers
and other small businesses are still attractive targets for hackers, and in
some cases are prone to larger and more sophisticated attacks because their
cybersecurity defense is less sophisticated.

In addition, while enterprise retailers have the advantage of annual
revenues that make even astronomical breach-related costs seem like a
rounding error, an equivalent breach on a small, midsize or local retailer
can be devastating. Many retailers have reacted to data breaches when they
occur — often by alerting customers and implementing free credit monitoring
— but the steps taken do little to rebuild trust with affected consumers.
It’s clear the retail industry is still long overdue for implementing
proactive steps to address cybersecurity as a critical business risk that
could affect it any day and cause incalculable damage.

Any organization’s culture of security starts at the top. Board members and
executives need to make cybersecurity a top priority before they can expect
their employees to do so. A recent New York Stock Exchange (NYSE) survey of
more than 200 corporate directors found that 80 percent say cybersecurity
is either an agenda or discussion item at their board meetings. While
that’s an encouraging statistic, it remains difficult to see that
prioritization in business practices.

Too many retailers are still treating cybersecurity as a technology issue
relegated to the chief information security officer or the IT lead. Too few
businesses are treating it for what it is: an enterprisewide risk that
impacts all aspects of an organization and requires both strategic and
tactical expertise and focus. Involving the board is a step in the right
direction. In fact, Ponemon’s report found that board involvement reduces
the cost of data breach records by $5.50 per record, not an insignificant
amount.

The increasing value of customer records and the ease with which they can
be stolen means retailers need to step up their cybersecurity policies and
procedures. It won’t happen overnight, but retailers must start
implementing the right culture, policies and procedures to stay ahead of
cyber threats. A retailer’s reputation — and bottom line — depends on its
ability to maintain consumers’ trust, which includes protecting personal
information from breaches and attacks. More importantly, board members and
executives of retail companies, whether small or large, must be accountable
for the potential impacts increased network connectivity and
software-driven efficiencies can have on their operations. Creating
awareness and fostering literacy among boards and executives around
cybersecurity will help the retail industry better defend itself and its
customers against future breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160802/f683cb44/attachment.html>