[Column] Wandile Mcanyana: Retailers must secure trust with cyber customers
The retail security landscape
In a dynamic, connected environment where sensitive customer data is highly attractive to hackers and forms the lifeblood of the business, facing a cyber-attack is no longer a case of "if", but "when". Of greater concern is how to minimise the impact on their business and on customer trust.
How quickly retail leaders can detect, isolate, and coordinate a successful response is paramount to them overcoming the threat with minimal disruption – in other words having an effective way of securing digital transformation.
At Accenture, we have conducted numerous studies on Securing Digital Transformation with a special interest in the retail sector. According to our research, 87% of retail companies express complete confidence in their infrastructure security. They plan to increase their cybersecurity investments too, with nearly half saying they are prepared to invest more in the cloud to protect point-of-sale systems and prevent fraud.
Ironically, when asked which types of security breaches their organisations had experienced in the past 12 months, 53% said customer data.
This challenges Chief Information Security Officers (CISOs) to not only be brilliant at security basics, but also be equipped with the insight and foresight needed to keep the customer satisfied and safe. Evolving from tech-savvy specialists to business-outcome-focused advisors.
Overall, if retail CISOs are to successfully handle upcoming threats, they need to put the business first
Being vigilant and protecting core assets
Here is a direct warning: Do not be complacent about the enemy. The nature of cyber-attacks is constantly shifting, and attackers are finding it easier to scale cybercrime globally as a fully-fledged business model. Organised Retail Crime (ORC) – one of many types of cybercrime – costs retailers approximately $30 billion each year as cybercrime groups work tirelessly to steal credit card data and other valuable assets.
In September 2019, Garmin – the multinational company focused on GPS technology – fell victim to a data breach, leaving customers' credit card information at the mercy of cyber criminals. Attackers stole extensive personal data of customers that shopped on the shop.garmin.co.za portal. As retailers digitize their stores to improve customer experiences, they also add new layers of vulnerability.
The good news is 81% of retail organizations recognize that the adoption of innovative business models and liquid workforces brings along an exponential increase in the risk of security breaches. However, this is a moving target – the number of attacks is rising along with the cost to counter them. Between 2016 and 2017, there was a 23% increase in the cost of cybersecurity.
Hackers and cybersecurity techniques are constantly evolving and maturing to exploit new weaknesses in retail defences. Retailers, busy managing competitive pressures, often lack the dedicated focus necessary to keep pace with the changing threat landscape.
Adopting a "Protect and Partner" approach
The move to digital has meant that data is no longer all in one place and security is not isolated to protect it. A distributed network of data that goes beyond the four walls of the organisation, thanks to cloud computing and smart devices, places a burden on security teams who are already dealing with stretched resources and constrained budgets. Add in regulatory demands and the need for dedicated control and compliance and they are placed under further pressure.
To protect high-value assets, it is important that the data is especially secured. Retail executives already outsource many other areas of their business, like security operations centres or risk management, so it would be a natural step to consider outsourcing to better meet security demands. Security outsourcing will therefore continue to grow as the data mountain grows. This is one way to keep pace with change.
The evolving role of the CISO
Our research showed that although retailers are focused on CISO engagement and feeling buoyant about the impact of their efforts, they are only high performing in just over half of their security capabilities. CISOs deal with threats as they arise – which can be effective – but as cyberattacks evolve, a more proactive, risk-based approach to data security and management is needed.
The CISO role should be more embedded in business decision-making such that the CISO partners with different areas of the business to properly assess security and management controls and develop a new mindset within the workforce.
Part of the challenge, however, is having the right talent in place for the cybersecurity voice to be effectively heard. According to the (ISC) Cybersecurity Workforce Study 2018, 63% of respondents report that their organisations have a shortage of IT staff dedicated to cybersecurity. Evidently, the larger, more powerful companies will have first pick of good talent, leaving smaller retailers with limited choice. Given that a lack of cybersecurity protection can destroy trust, brand image and subsequently impact on revenue, this further gives retailers a reason to consider outsourcing their cyber responsibilities to focus on retailing.
Achieving cyber resilience in retail
Retailers who want to reshape traditional operations and deal effectively with the next wave of cyber threats will need to build cybersecurity qualities and values into their business. An evolving threat landscape demands constant vigilance.
It is important to be clear on your inventory, put security controls in place, and establish whether new technologies are adding complexity or adding value. The digital shift prompts a new wave of security outsourcing. Retailers must shore up third-party defences or outsourcing partners so that their approach is as secure as your own.
A data-driven approach and advanced threat intelligence will help to better anticipate potential attacks and develop a more proactive security posture. Lastly, retail CISOs need a seat at the boardroom table to infuse a security mindset into the culture of the organisation. Make sure the next-generation CISO is business adept as well as tech-savvy.