One of the largest data breaches in the past few years occurred when Saks Fifth Avenue and Lord & Taylor stores suffered an attack on their point-of-sale systems, which resulted in 5 million stolen credit and debit card numbers.
Despite awareness and public reports of these types of breaches, cybersecurity continues to strike retailers in all categories, points out Retail Dive.
As long as retailers continue to collect consumer data, cybersecurity experts strongly advise them to implement a comprehensive data protection strategy that includes the following 4 areas:
1) Train employees across all departments
According to the law firm, Priebe and Sills, companies should weave cybersecurity awareness into the fabric of their organizations. It needs to be discussed during the onboarding of new employees and should be ingrained enough that employees are able to alert their designated cybersecurity leader when they spot suspicious activity.
For example, not everyone realizes that email is not a secure and confidential way to share information. Employees, therefore, should be trained on email security measures and be able to recognize common breach tactics like phishing emails. Retailers also need to make sure they’re on the lookout for malware—a leading cause of data breaches.
Retailers should include other departments of the company—from marketing to customer service—in their cybersecurity training efforts, to prepare for potential data breach risks.
“Retailers have all kinds of business units, and I think that there are many that have a role in an incident response team,” Hardy said. “It’s important that all types of people within the organization are prepared for this, because it’s not enough that it be legal and compliance.”
Another security measure retailers should live by is limiting employees’ access to sensitive information, like customer credit card data, and having safeguarding processes in place to make sure this data is properly managed.
2) Appoint internal cybersecurity representatives
With the fast pace of change in the digital world today, security will become more essential to businesses and in many ways, will also drive their growth. This means that businesses require smart leadership that can make fast and effective security decisions to protect the company in case of security crises.
In addition to having an appointed cybersecurity leader, one law firm interviewed by Retail Dive strongly suggested that retailers appoint representatives within each department who can take charge during a data breach. Company executives should also come together periodically to discuss how they would navigate a simulated cybersecurity crisis.
“As cybersecurity leaders, we have to create our message of influence because security is a culture and you need the business to take place and be part of that security culture.”
— Britney Hommertzheim, Director, Information Security, AMC Theatres, at SecureWorld Kansas City
Making security a top priority for the business is no longer a choice for business leaders in today’s connected world–it’s a must. In this new era of digital threats, security will determine the ability of companies to successfully navigate market transitions.
3) Screen third-party partners
“Experts cite third-party partners such as vendors, suppliers, and consultants as potential cybersecurity risks, reveals Retail Dive. “Just as companies would ask questions about how a potential company runs, they should also ask about their third-party collaborator’s security procedures.”
While it may be difficult for companies to screen their third-party partners’ cybersecurity efforts, they can at least locate and prioritize significant risks based on where the company’s proprietary data is stored and which third parties have access to valuable information.
Retailers also need to ask partners if they have a chief information security officer—a position that demonstrates how sophisticated they are in their data protection efforts.
Additionally, retailers should find out if their third-party partners have the International Organization for Standardization’s 27001 certification, as well as consulting the National Institute for Standards in Technology, which helps organizations better understand and manage cybersecurity risks.
4) Delete unnecessary customer data
Understandably, retailers want to collect as much consumer data as possible in order to better serve their customers. But collecting more data also means they’ll be responsible for protecting the information they gather.
Because storing data is more affordable than ever, companies are opting to store rather than delete it. But having more information about consumers isn’t necessarily better. Compiling too much data—directly from customers or third parties—makes it harder for companies to recognize the data points worth deleting.
Priebe and Sills have consulted with businesses that have been in operation for more than 35 years and haven’t deleted any data in all that time. These companies have accumulated so much data from various sources, they often don’t know exactly what personal data they have, where they stored it, or where and when they collected it—plus their legacy systems are most likely too outdated to receive upgrades for recent security protections.
To ensure that all data is accounted for and safeguarded, companies should map out where data is stored, ascertain how it is protected, and establish a records retention protocol for deleting old data.
A recent study by the Ponemon Institute discovered that many small businesses recognize that they aren’t prepared to manage cybersecurity risks in today’s digital environment. While 55% say that they lack the staff and expertise to deal with cyber risk, 47% say they don’t even know how to prevent a cyber attack.
When an organization is breached and/or its customers’ data is compromised, it can result in damage to the brand’s reputation, lost sales, a decline in market value, and possible lawsuits, along with potential sanctions for compliance violations. Additionally, there’s the cost of responding to the breach, removing malware, rebuilding files, and restoring normal operations.
It’s up to retailers that continue to collect and/or store data to address the ongoing problem of cybersecurity risks. The four points discussed above are areas that companies should focus on when building and implementing a comprehensive data protection strategy.
Find out how retailers like you are saving time and making money with the Rain POS system. POS, E-commerce, and Marketing all in one.