A Proactive Approach to Mitigating Retail Cyber Threats

In the past decade, the retail industry has undergone major shifts worldwide due to the rise of the internet. As a result, the burgeoning e-commerce industry has significantly impacted “classic retail” as digital platforms like Amazon, eBay, AliExpress and TaoBao, along with the rapid pace of online solutions from big-box retailers, significantly accelerate the pace of digital transformation. In fact, the latest reports estimate that 10% of total retail business worldwide is generated by e-commerce.

Although this increased reliance on the internet has begun a new chapter for the retail industry, it has also opened the door for cybercriminals to gain access to large volumes of digital data. Financial information—especially credit card numbers—are considered a highly lucrative reward of a successful cyberattack because card data can be quickly monetized (i.e., turned into cash or a cash equivalent), and is therefore continuously traded on the Darknet. The price for this kind of information can vary depending on the volume available for purchase, but it has continued to create a demand for credit cards and other data.

Unfortunately, the global retail industry has not made sufficient investments in cybersecurity policies, plans, procedures, and methods of defense, especially with respect to supply chain partners. In fact, according to BDO’s 2019 Retail Rationalized Survey, just 53% of U.S. retailers reported recently making significant investments in cybersecurity, and nearly 10% admitted to making no investment at all. As a result, the average cost of a cyber data breach in the retail industry continues to climb every year. According to a 2018 report from the Security Exchange Commission (SEC), the average cost of a cyber data breach has reached $7.5 million. As the financial risk of a data breach climbs, so does the average cost of cyber liability insurance coverage.

Further, more and more companies are facing major lawsuits from their own shareholders, consumer protection groups, and federal and/or state government agencies for their negligence in providing an adequate information security program for their organization, often resulting in significant financial losses and negative impacts to their brand’s reputation.


New Standards Aim to Safeguard Data, But Adoption Lags

As a result of increasing cyber threats, governments are becoming stricter about enforcing data security regulations, implementing standards and procedures that retailers must adhere to, as well as issuing steep fines for noncompliance.

In 2004, the major credit card companies, (Visa, Mastercard, American Express, Discover, and JCB) determined it was necessary to have a standard set of guidelines associated with protecting credit card information. This led to the formation of the Payment Card Industry (PCI) Data Security Standard (DSS) 1.0, which was developed with the intent to increase security controls around credit card information and reduce credit card fraud incidents. The PCI Security Standards Council was formed in 2006 to help further this mission.

But even with this focus, nearly 15 years later many retailers still are not compliant with the PCI DSS. The retail industry is dynamic, complex, and adjusting to consumer needs. In order to stay competitive, many retailers are evaluating and incorporating different technologies, including artificial intelligence (AI), machine learning (ML), the Internet of Things (IOT), and blockchain. There is also a shift among brick-and-mortar, social commerce, e-commerce and outsourced (third-party vendor) solutions, such as Platform-as-a Service (PaaS) and Software-as-a Service (SaaS). However, the utilization of new technologies means that retailers need to pay renewed attention to the associated cyber risks.

The lack of cybersecurity prioritization in the retail industry has become an executive management and board-level issue—many companies continue to deploy poor cybersecurity strategies or no strategy at all, which critically exposes the retail business environment to malicious intent that can cripple retailers and cause significant financial losses.


Successful Digital Transformation Means Implementing Threat-Based Cybersecurity

In 2018, retail continued contending with a steady drumbeat of bankruptcies, burdensome debt, disruptive new entrants and shifts in buying power across generations—all of which increased the pressure to innovate. In addition to these more traditional business challenges, the vast amount of personally identifiable information (PII), including valuable financial information like credit card numbers that retailers possess, also make them a lucrative target for cyber-attackers.

While coming up with a focused business strategy amid disruption and increased cyber risk is tough for any business, it’s even more so for mid-market retailers saddled with greater resource constraints. In fact, just 37% of mid-market retailers say they are actively thriving today, while more than half (54%) say they’re merely surviving, and 9% admit to struggling, according to our 2019 Retail Rationalized Survey.

To thrive, it’s clear that e-commerce and other digitally enabled offerings will become a greater part of mid-market retailers’ businesses. However, as digital transformation becomes a core part of retailers’ strategy, they’ll have to prioritize threat-based cybersecurity in tandem.

Threat-based cybersecurity is a forward-looking, predictive approach. Instead of focusing solely on protecting critical data assets or following the basic script of a generic cyber program, threat-based cybersecurity concentrates on investments in the most likely risk and attack vectors based on an organization’s unique threat profile. For example, this framework looks different for a pure play e-commerce entity than for a hybrid e-commerce or specialty retailer because the most likely attack vectors are different for each. Threat-based cybersecurity approaches go hand in hand with innovation, as security serves as the backbone to digital transformation—and can even be an innovation catalyst.

Retailers may find themselves racing toward tech innovation as they strive to join the ranks of retail Thrivers. However, without careful attention to cybersecurity concerns, digital transformation efforts may prove fruitless, or worse—harmful. By taking a threat-based approach to cybersecurity concerns, retailers can ensure that investments in innovation are backed by the appropriate safeguards, shielding the organization from both steep fines and reputational blemishes.

For more on how retailers can mitigate cybersecurity risks, read BDO’s latest Cyber Threats Insight.

Don’t miss the latest BDO News and insights – subscribe here – and follow us on Twitter @BDOConsumer.