Retail E-Commerce: Is Your Risk Growing?

There are several hidden risks for organizations engaged in e-commerce activity. More and more, retail management teams are taking additional time to evaluate these risks as they operate online storefronts and perform transactions on an ever-expanding cyber platform. Retail executives recognize the increasing costs associated with cyber breaches, which are forcing the industry to review data protection and recovery plans. Significant financial losses associated with a cyber breach could be driven by a loss event occurring directly to the organization, its suppliers or its major customer(s).

Consider the following three points as they relate to cyber security and liability:
  1. A recent report from IMRG indicates that Internet and mobile shopping was up 15 percent in 2012. This trend is expected to continue into the 2013 holiday season, with early estimates projecting that 20 percent of holiday sales will occur online. With this kind of growth, an organization may feel pressure to quickly develop new sales channels but with existing IT and marketing budgets. It is inherent that security gaps will develop, particularly for companies that have not fully investigated their data security challenges.
  2. Retailers are increasingly using outside vendors to handle financial transactions with customers. Outsourcing activities may include processing card payments, tracking all data points for sales activity and managing inventory levels.
  3. Government and regulatory bodies are growing increasingly concerned about how cyber risk may adversely impact their jurisdiction’s consumer base. In the UK and Europe, there are efforts underway to mandate notification of breaches throughout the European Union.  In the U.S., the SEC has strongly encouraged organizations to list all data breaches in their annual financial reports.
With all the added attention and focus on cyber security, what is the largest mistake a retailer can make? It is overconfidence in data security, which is precipitated through a combination of organizational compliance with Payment Card Industry Data Security Standards (PCI DSS) and an organization’s internal, one-time review of its data security protections. However, as organizations on the cutting-edge of cyber security have learned, the PCI DSS should be viewed as perpetually evolving over time. Therefore, effective cyber security requires the organization to continually review how and where data is flowing both internally and externally throughout the organization.

If you want to test your organization’s data security readiness, consider these 3 scenarios and accompanying concerns:
  1. Your organization’s online storefront is the victim of a Denial of Service (DoS) attack, a loss that typically occurs when a system is saturated with external communication requests. What is the sales impact per day or per hour? How long will it take for your organization or vendors to correct the issue?
  2. Your organization’s data vendor is attacked and in disrepair for a period of time. Do you know your company’s financial remedies for this attack? Likewise, what if a major customer is impacted by a similar event?
  3. Your organization loses all or a portion of its customer records. Has anyone in your organization analyzed the cost per customer record lost?
Here are some steps your organization should take to improve its data security to address these and similar scenarios: Develop a culture where all employees become protectors of your company’s sensitive data.
  • Understand the relationship between authorized and unauthorized devices and their users as data is captured, transferred and stored.
  • Implement measures to monitor repeated attempts at gaining non-authorized access to your data systems. This includes detecting unusual patterns of how data is flowing across your systems or interacting with devices.
  • Prepare for a cyber loss event in your organization and build a contingency plan.
  • Learn how you can be protected and indemnified through contractual risk transfer and insurance.
What steps is your organization taking to secure its data?