To say that cybercrime is on the rise is really an understatement. Today, cyber attacks are frequent and increasingly sophisticated targeting not only customer credit card details but also highly confidential internal communications and corporate documents.
For the retail industry, in particular, businesses have had to follow their customers online (as street-based revenue has declined). As a result, retailers have been rapidly adopting the cloud to manage all their operations and customer interactions while trying to diminish the risk of a breach.
Restaurants and hospitality brands that continue to maintain a strong physical presence are also a highly attractive target for bad actors. This is primarily because a single location can process thousands of transactions a week.
To get a better idea of just how bad it is, let’s take a look at some examples of the major data breaches that occurred over the last couple of years:
- Adidas (experienced a data breach where sensitive customer data was stolen from their U.S. website)
- Arby's (was a victim of a malware attack that exposed 355,000 credit and debit cards)
- Best Buy (also experienced a data breach where some customer payment information was stolen)
- Forever 21 (was a victim of a malware attack that exposed customer credit card details and internal verification codes)
- Panera Bread (had a vulnerability that exposed thousands of personal customer data for eight months)
- Saks Fifth Avenue (and Lord & Taylor experienced a data breach that exposed five million customer credit card details)
The above is just the tip of the iceberg and just the information that was publicly shared by these leading brands.
So how were these companies targeted?
Bad actors used sophisticated techniques along with old tried and tested methods to target these retailers. These hacking techniques included malware and social engineering attacks that breached the retailers (themselves), their third-party suppliers, and vendors.
In recent years, cybercriminals have also started targeting Point of Sale (PoS) systems and vulnerable smart devices (for example, both Target and Google were compromised via smart HVAC controllers).
The consequences of data breaches will be significant, and many small businesses might not even survive it. This is because the fallout from a data breach can go far beyond the loss of revenue and damage to brand image.
Retailers now need to consider the costs associated with the following:
- Forensic investigations
- Fraud reimbursement penalties (chargebacks)
- Government fines
- Legal fees and fines
So what steps should retailers take to better protect customer data? Let’s take a look.
Conduct a Security Audit
You won’t know exactly how vulnerable you are to a potential attack until you conduct a security audit. To perform a thorough security assessment, it’s best to get your internal security team and a third-party provider involved in the whole process.
This approach is highly recommended as your internal IT team can quickly identify current vulnerabilities while an external team will be able to pinpoint whatever they have missed.
A security audit should cover the following:
- Architecture review
- Code review
- Database review
Security audits should be conducted on a regular basis to respond to evolving threats effectively. While you might boost security by updating your firewall and internal security protocols, it’s also important to regularly update your risk management plan after each security assessment.
Build a Corporate Culture That Prioritizes Security
Employees at all levels from top to bottom must be aware that data security is everyone’s responsibility. Staff should also know that one minor mistake could lead to a significant breach (that’ll affect everyone).
As social engineering techniques like phishing emails are still popular and highly effective, employees should be trained (again on a regular basis) to identify them. Staff training will also provide an excellent opportunity to update weak passwords throughout the organization.
So whether it’s at the corporate head office or at retail stores spread across the country, the same rules apply to everyone.
Embrace Point-to-Point Encryption (P2PE)
To stay one step ahead of bad actors, it will be important to utilize P2PE systems to encrypt and conceal credit card data from the moment it enters a payment portal. This approach ensures that the information is encrypted even before it’s sent to the service provider.
As P2PE encrypts credit card data collected from both online and offline stores, you can be sure that no one will be able to read the data while it’s in transit (between the merchant and the processor).
If P2PE isn’t a viable option for your business, tokenization is another approach that can be used to protect sensitive customer data.
Put Someone in Charge of Security
Going forward, it will be essential to establish a security role within your organization. If you’re an enterprise with over a 1000 employees, it might even help to hire a security team.
When you put someone in charge of data security, their entire role will be focused on enhancing security protocols and protecting customer data. This will also help ensure that someone within the company is up to date with the latest security threats and the best approach to respond to them.
Having someone leading your cybersecurity initiatives will also make it easier to engage in white hat penetration testing.
While there isn’t a one-size-fits-all type of solution to securing customer data, taking a proactive approach to cybersecurity can go a long way to protect your brand value.