Discovering the balance between convenience and security.
With the holiday season already here, it’s prime time for us to take a moment to consider our cyber hygiene and general cyber awareness of the retail industry before raking in the savings, one swipe – or one click – at a time.
Nation-state attacks and Advanced Persistent Threats (APTs) – attacks aimed at espionage or economic advantage – have dominated the headlines recently. However, there are still plenty of malicious actors out there who simply want consumer credit card numbers, bank information, and other Personally Identifiable Information (PII); and, when it comes to harvesting such financial data, the retail space is among the top targets for cyber criminals.
Target was among the first big retailers ‘targeted’ when the onslaught of retail attacks began in 2013 1, and last year the retail giant had to pay out over $18 million in a multi-state settlement 2. Other retailers have since been hit, including Under Armour, Forever 21 and Lord & Taylor. In 2017 alone, more than 50% of retailers experienced a data breach 3. Not only are data breaches devastating to both consumers and retailers, but they are seemingly ubiquitous. Here’s a look at why that is, as well as why it’s a problem:
- Security and convenience is a delicate balance: Consumers want a frictionless, frustration-free buying experience. The bar has been set pretty high when it comes to the online shopping experience – users are accustomed to searching for an item, clicking, and purchasing in seconds. If they can’t see the photos, reviews, item details, and purchase with the press of a button, they’re off to another retailer. Often security just isn’t top of mind for the consumer. For a retailer to be competitive, they must offer an Amazon-like interface, while also seamlessly building in security. That can be expensive, and it can delay the time a retailer is able to securely offer their products online. Historically, convenience has taken priority over security.
- Consumers are jaded: Related to the previous point, users have simply accepted that their PII and financial information have either already been compromised or will inevitably become compromised. If breaches weren’t so routine, they might take on more significance, but because of the sheer volume of breaches – many of which are beyond the retail markets – consumers just aren’t as concerned, which again, puts the focus back on convenience from a retailer perspective.
- Hackers are successful: The average global cost of a data breach has risen yet again this year, reaching $3.86M, according to Ponemon Institute 4. While that figure is centered more around the costs resultant from hacks and breaches, additional figures support the fact that hacking can be very lucrative. EMV technology – or what you might more readily recognize as a chip in your credit card – was introduced in recent years as a means to combat credit card fraud specifically. While that was a success in some regards, the U.S. in particular has seen a shift away from EMV-based attacks toward Card Not Present (CNP) attacks. Hackers have been successful not just because they are resilient and adaptive, but because consumers are largely driven by convenience. While it may be more secure to insert your card at a brick-and-mortar store, it’s more convenient to shop online. Bad actors realize this and have capitalized on it for financial gain.
But, there is hope. Some retailers have survived hacks and data breaches and learned from their mistakes and made it a point to secure their networks, systems, and data. Others, although not yet attacked, have witnessed the destruction other retailers have endured, and likewise made it a point to harden their networks and prioritize security over convenience.
Yet other retailers have evolved to a more mature state where security and convenience aren’t thought of as alternative ideas and have successfully maintained a balanced and symbiotic relationship. Check out this case study on Boden, a fast-growing fashion retailer that has found such a balance, and leveraged Forescout to reduce its security risk through visibility.
For additional customer stories: visit our customer stories page.
1 Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores
2 Target to pay $18.5M for 2013 data breach that affected 41 million consumers
3 Thales: data breaches skyrocket with 50% of retailers experiencing a breach in the last year, up from 19% the prior year
4 The Average Cost of a Data Breach
