Information Security Risk Management in Retail Industry

As the pace of change from ‘Brick and Mortar’ to ‘Online Shopping’ is gathering momentum in the retail industry, information security risk management in the retail industry has become a vital business strategy. The unprecedented scale and speed of disruptions are also accelerating, making the retail landscape more vulnerable than ever before.

While increased consumer spending is pushing the industry towards an estimated $20,002 billion in 2017, retailers are facing renewed challenges to re-engage savvy consumers who seek confirmed protection and enhanced buying experience at the same time. The onus is on the industry itself to implement information and data security infrastructures to protect their businesses and regain customer trust.

A survey conducted among 1,000 global security and IT executives across a variety of industries, by data security firm SafeNet and research company Vanson Bourne, revealed that, as customers, 25% of respondents would not trust their own company to manage their sensitive personal information. On the other hand, PWC found the number of detected information security incidents globally escalated to 42.8 million last year – an increase of 48% over 2013 – to about 117,339 attacks per day. Internet security firm Kaspersky Lab discovered that close to half the e-commerce retail firms and 41% of financial services companies reported losing some type of finance-related data to attacks within a period of 12 months, while about a third of companies in the two sectors revealed reluctance to investing in security software even after a breach.

Today retailers are gathering quality consumer information faster than ever before through loyalty programs in both the brick and mortar and online shopping. Where is all the customer information stored? What are they doing with all the data collected? Facebook, the worldwide leader in gathering personal information, is joining forces with four data brokers to incorporate the data from loyalty cards, online purchases and Facebook interactions (‘Likes’, ‘Shares’ and ‘Comments’), essentially creating a more advanced consumer profiling method than the NSA could create. In fact, Facebook even has the ability to track a consumer’s online purchase after viewing an advertisement in Facebook.

With all this personal data being assembled and shared, who is responsible for the information security? The answer is obvious and a clear indication that it has never been more important for retailers to protect their customers through the implementation of data security measures. Also, in today’s environment of mass data creation, storing across different technology devices in geographically distributed locations and transmitted over numerous interconnected systems, retailers should view data security as a series of threats that are intrinsic to doing business.

2014 was a historic year in regards to cybersecurity in the retail industry. In fact, Kaspersky Lab deemed 2014: the year of retailers getting hacked over and over again. The majority of the security breaches, especially the large ones, were related to vulnerabilities in the Point-of-Sale devices used to read the credit cards. Including the Target breach at the end of 2013 of more than 110 million affected customers, the list of North American retailers impacted by security events related to credit card and customer data was not only long but diverse:

  Neiman Marcus – luxury specialty department stores
  Michaels – arts and crafts / home décor stores
  Sally Beauty Supply – largest retailer of professional beauty products in the world
  Albertsons – grocery supermarkets
  SUPERVALU – grocery supermarkets
  UPS – packaging and shipping stores/service
  Goodwill Industries – second hand stores
  Home Depot – home improvement and construction products stores
  Dairy Queen – soft serve ice cream and fast food restaurants
  Kmart – discount department stores
  Staples – office supply chain stores
  Bebe – women’s retail clothing stores
  PF Changs – Asian cuisine restaurants
  Jimmy John’s – sandwich shops
  Sourcebooks – online bookstore

Therefore, information and data security in the retail industry must be tackled with a diverse and strategic risk management approach. Analyzing data security from this perspective will enable better decisions and superior technological design for protecting sensitive information. Also, successful data security is a moving target and retailers’ strategies should include the following to achieve this.

Secure data at all “points”: A holistic approach to data protection involves securing data at all “points”, within the retailer’s internal network, at vendors’ networks and during transit. Securing data within the organization’s own infrastructure ranges from monitoring systems and potential threats to deleting any irrelevant data to safeguarding information in all platforms – mobile, social media and cloud. Retailers must ensure the effectiveness of partners’ network safety to create a secure shopping environment, while protection of data during transit contributes significantly to ensuring information protection.

Remedy basic flaws: Unsuccessful retailers often aim at achieving enhanced protection by trying to implement advanced measures but usually ignore the importance of basic everyday best practices. Cultivating and supporting a strong risk aware culture at the fundamental levels provides the baseline for advancing towards successful in everyday data protection. A few must-haves include: strong authentication process, secure system configurations, upgrading of technology and enhanced network security.

Adoption of big data strategy: To counter emerging threats, retailers need to leverage the benefits of using big data strategy in risk management. While utilizing a big data strategy improves organizations’ risk profiles by enabling a more strategic identification of potential threats from understanding past risk events and risk scenario analysis. These techniques will ultimately result in tailored defenses with implemented mitigating control measures for management of risks.

Emphasis on proactive strategy equipped with a business continuity plan: Proactive risk management strategy for a retailer is vital for bridging the gap between commitment and execution to provide a secure environment for consumers. The strategy should include constant assessment of the vulnerabilities in systems and processes, determining what the impact of a security event will cause and implementing ways to minimize the probability. A sound business continuity plan helps to assess the damage, identify the vulnerabilities, execute recovery plans, and implement contingency plans.

With the increase in frequency and severity of information security breaches, customers, as well as regulators, are paying closer attention to retailers’ data security control measures. To efficiently confront the situation, retailers need to implement the ISO/IEC 27001:2013 standards. The latest version of the proven ISO information security management standards that, once implanted across the organization, will enable businesses to secure personal information assets and bolster the organizations reputation by answering online privacy concerns.

Successful data security measures are also contingent upon implementation of latest PCI DSS standards, which comply with the regulatory mandates while contributing to business continuity. With cybercriminals attacking businesses with unprecedented precision and consistency, retailers need to think beyond the traditional models of securing data and incorporate a risk-based approach into their strategic plans to minimize business loss and support revenue generation.