Cybersecurity Implications for Retailers

December 2016

Before we had free and easily accessible coding and networking education, the population of hackers was relatively limited. Systems, too, were less sophisticated, as the route into a network was typically through a firewall, modem or other tool IT professionals set up in order to enable remote access. With the rise of the Internet, paths into a company network grew exponentially and nMap emerged – a tool that scans a network to “map” it. Just imagine the first part of every good “Mission Impossible” scene: A secret government intelligence service is analyzing a map, strategizing how they are going to break in to a high security facility. Maps are important to both defense and offense.

In 2013, nMap had advanced to the point where it took only 44 minutes to scan the entire Internet. As nMap evolved, so too did technology advancements that increased sophistication among both networks and hacking capabilities in equal measure. Today, tools for hacking are as easy to find as the average iPhone app, and the number of cyber criminals has increased exponentially.

Retailers can’t prevent a data breach any more than individuals can prevent an auto accident just by being a good driver. Therefore, it’s crucial for retailers to have a defensible position should a data breach occur. There is a difference between telling a regulator, “I thought IT had it covered,” and “we had a thoughtfully developed, communicated and audited plan.”

When it comes to the influence a data breach has on consumer behavior, the polls are divided, and the impact varies by industry. For example, it’s more likely that a consumer will choose a different retail store after a publicized breach than she or he will change to a different doctor. But, because so many factors influence stock price, it’s difficult to calculate the impact, if any, that a breach announcement has on stock price.

It is interesting, however, that one year after the 2013 Target breach, their store traffic was 3-4% lower -a trend not seen across the industry. YouGov tracked brand strength of Target and Home Depot pre- and post-breach, and found that while both companies experienced similar initial reactions, Home Depot quickly recovered, while Target’s repeated revisions to their initial position seemed to cause continued damage.

Executive turnover following a major hack also poses a significant risk to retailers since it directly effects operations. Identifying, recruiting, and onboarding new executives takes time and can interrupt productivity. Dealing with subsequent turnover from employees who disagree with the change is also disruptive.

In addition to internal, regulatory and public scrutiny, retailers now face pressure from the payment card industry to bolster their cybersecurity controls. One issue lies in retailers conflating EMV compliance with cyber risk management. In reality, EMV compliance is only one piece of the puzzle. Meanwhile, some credit card companies are refusing to work with certain retailers that have experienced a cyber breach, and others are fining retailers that don’t meet a certain cyber standard.

Cybersecurity remains a constantly moving target. The potential headlines, expensive lawsuits, fines and penalties all support the case for prioritizing cybersecurity initiatives, as thinking about cybersecurity as a reactive measure is a dangerous game. In the event of a cyber breach, the best-positioned to react will be those who are proactive now in identifying the cyber threats on the horizon.