By Retail News Insider
Tens of millions of Americans have been victims of major hacks in recent years. As more consumers pay with plastic and begin to pay with their phones, they’re handing over more data than ever—from card numbers to email addresses to birth dates and more.
With each swipe of the card, consumers place implicit trust in the retailer to keep their accompanying personal and financial information secure. Ultimately, trust is the foundation of the retailer-consumer relationship. So what happens when a security breach shatters the trust between the retailer and the consumer? In the first of a three part series on the cost of crime in the retail industry, Retail News Insider investigates how retailers can fall victim to hacking, what happens once a breach occurs and how retailers can recover.
Who Is At Risk
According to FBI Special Agent Chris Christopherson, retailers shouldn’t be asking if a security breach could happen, but when it will take place. “Retailers need to understand they’re going to be targeted even more than they think is possible,” he says.
While the media has focused mostly on security breaches at large national retailers, Christopherson warns that no retailer is immune to these cyber attacks. Since several large hacks dominated headlines in 2014, “we’ve actually seen a shift in terms of criminals targeting smaller to medium size retailers,” says Christopherson. “Criminals may think these retailers don’t have the same kind of security as the larger chains. Overall, there’s been more information lost and personally identifiable information (PII) has been compromised. But because the companies are smaller, these incidents don’t get a lot of media attention. In terms of sheer numbers, I think retail security hacks have gotten worse.”
Greg Ferrara, Senior Vice President of Government Relations and Public Affairs at the National Grocers Association agrees. “Whether you’re a big retailer or small neighborhood grocery store, you’re facing attacks every day,” he says.
To be fair, he also notes retailers are not unique in facing this risk. “Retail hacks get a lot of media attention, but more attacks have been happening in the financial industry,” he asserts. A recent investigation by Verizon found that only 1 out of every 13 hacks resulting in data loss occurs at retailers, while nearly double occur at financial organizations—and even more at government agencies.
These numbers don’t absolve retailers from preventing attacks, but rather reinforce the idea that everyone with potentially valuable data is at risk for a hack. “Cyber attacks are a for-profit business,” says Tim Erlin, Director of IT Risk and Security Strategist for IT security firm Tripwire. “Hackers are mainly looking for personally identifiable information that they can make money off.” With consumers’ personal and/or financial information, cyber criminals can empty bank accounts, commit identity theft and more.
Understanding How Attacks Occur
How do cyber criminals get into retailers’ systems in the first place? Experts say the methods are as varied as the retailers themselves.
“Cyber criminals range from amateurs to pros, and security threats range from random chance attempts to focused, prepared attacks,” says Dr. Lance Eliot, Vice President of IT for Interactions.
Eliot says several of the most publicized attacks in recent years have stemmed from malware being installed on retailers’ computer networks. “In these types of attacks, cyber criminals access the retailer’s computer network and remotely plant nefarious software, referred to as malware, onto point-of-sale (POS) devices at the retailer’s stores,” he explains. There, the software can capture payment information each time a consumer uses a credit or debit card to pay. That data is then transmitted to the criminals, who can go on to profit from it.
As for how cyber criminals are able to gain access to retailer systems, there are again multiple possibilities. “It could be anything from someone sitting in your parking lot trying to hack in through your WiFi network, to someone sending Trojan emails, to someone coming in and physically tampering with your systems,” says Ferrara.
In some cases, attacks can also begin in less direct ways. For example, cyber criminals may target a third party first (such as a vendor who works with the retailer) with the eventual goal of gaining access to the retailers’ systems.
Preventing and Preparing for Security Threats
“While there’s no surefire way to prevent all cyber attacks, there are things retailers can do to help protect themselves and their customers’ data,” says Eliot. “This should be a top priority and must involve associates at every level, from the IT department to front-line sales clerks.”
It begins with retailers doing a careful assessment of their systems and processes. “Retailers should focus on securing POS systems, identifying where credit card data exists elsewhere in the system and going beyond the PCI (Payment Card Industry) data standard to make sure they’re adequately securing that information,” says Erlin.
Retailers also need to identify where else they have sensitive data stored in their systems, whether it’s customer data or their own organization’s information. They need to look at what could be profitable to someone else. This could include e-mail addresses, phone numbers, HR databases and anything around loyalty cards. “Those systems should be secured and access to them should be limited to only those with a legitimate business need,” Erlin said.
Ferrara adds that retailers also need to look carefully at public WiFi networks. “If you’re going to provide free WiFi to your customers, it has to be totally separate from everything else in the store,” he says.
Beyond technology controls, employee training is also key to thwarting breaches. “There are a lot of attacks that involve getting a human to click on a link,” says Erlin. “Training is the best defense against this, and it has to be done on an ongoing basis because hackers often change their tactics.”
“It’s important for retailers to make their employees aware that there are people who will commit fraud and to teach them what to look for so that security or loss prevention experts can be contacted right away,” adds Special Agent Christopherson. “I’ve been surprised with the number of cases I’ve seen where retailers’ customer service agents were so focused on providing good customer service it didn’t necessarily occur to them that when something strange happens, it could be fraud.”
In addition to enhanced security measures, Eliot recommends retailers also have a crisis management team in place. “Even with the latest and greatest in cyber protections, there is no guarantee that a retailer will be immune to a breach,” he says. “Retailers should have a crisis management team trained in dealing with cybercrime in place well before they need one.”
While there are undoubtedly costs associated with improving security and monitoring for threats, experts say the costs of not doing so can be even greater. The FBI estimates annual losses from retail security hacks to be in the billions of dollars. Retailers can be on the hook for covering consumer losses that result from the hack, and may also suffer decreased sales following one. Beyond financial consequences, the loss of consumer trust can be devastating. “If a breach is big enough, it could put a retailer out of business,” says Ferrara.
Recovering from a Data Breach
If, despite a retailer’s efforts, a breach does occur, how a retailer reacts can be critical to both its survival and in managing consumers’ perceptions. The first step is to plug the breach and determine what data has been lost. Once the retailer determines the scope of the breach and notifies law enforcement officials, the next step is to communicate with consumers. The way in which this is done can be a key turning point in recovery for a retailer.
A recent Retail Perceptions survey by Interactions found that 80 percent of consumers believe retailers can rebuild trust lost during a data breach by being honest about the incident. The majority of consumers also placed emphasis on retailers communicating with them and responding to questions, taking financial accountability and investing in additional security measures to prevent future attacks.
“Explain what happened, if consumers’ data was exposed and what you’re doing to protect them in the future,” advises Ferrara. “If you’re honest and upfront, the consumer will accept that. It’s sad that there are so many breaches consumers have come to somewhat expect it. Those retailers who respond in a transparent and helpful way are typically rewarded by consumers’ loyalty.”
