Feature Story

Why Hackers Target Retail

Customer data is just the tip of the iceberg. How can retailers secure an ever-widening attack surface?

Cybersecurity attacks on retailers are extremely widespread today. And with all that customer information on hand, it’s no wonder. Retailers are a virtual treasure-trove of data.

“Retail has some of the most notable cases in cybercrime,” said Steven Stone, Former EVP, Chief Information Officer at L Brands, Inc.

The annualized average cost of a successful cybercrime to a retail company in 2016 was $7.2 million, according to the Ponemon Institute. The damage over time is more long-lasting, according to Cisco’s 2017 Annual Cybersecurity Report: Nearly a quarter of the organizations that suffered an attack lost substantial business opportunities. One in five lost customers due to an attack, and nearly 30 percent lost revenue.

Perhaps worst of all, the journey to creating better customer experiences is slowing down due to the threat of a cyberattack. According to another recent global survey by Cisco, 57 percent of retailers agreed that security concerns are preventing them from fully embracing business transformation.

However, an industry struggling to keep up with security demands also presents a competitive opportunity for those willing to step up and lead.

“We were one of the very first retailers in the country to adopt point-to-point encryption and tokenization of all credit card information,” said Stone. “If you break into L Brands now, you're looking for credit cards, you ain't going to find them. They don't exist. They don't exist inside our network,” he explained.

Still, with everything that retailers have to lose due to a cyberattack, and the hesitation to innovate, it’s no wonder corporate boards are getting involved. Do boards know the right way to approach cybersecurity?

“Boards can wind up reading superficial articles and asking questions like ‘Do we have two-factor authentication enabled?’” Nicholas Percoco, CISO at Uptake, told Connected Futures last year (see How to Build a Strategic Security Foundation). “But that’s not a board-level question that helps you drive strategic decision-making,” he said.

CEOs, boards of directors, and certainly CIOs know by now that they have to up their security game.

“Security has to be pervasive. Security is not just a CSO responsibility, it’s everyone’s responsibility,” emphasized Guillermo Diaz Jr., Senior Vice President and CIO, Cisco.

Retail companies in particular provide a broad attack surface.

This is due to the many physical access points and large mix of services across increasingly complicated devices. With the emergence of in-store mobile apps, omnichannel and mobile payment solutions, it’s no wonder retailers are popular targets.

“Retailers are pretty reticent to open up end points that are on the network, without understanding better how they are going to secure them,” Stone said. “When we work at beacons and sensors in our stores, one of our big concerns is making sure we could find a way to secure the end point.”

One way Stone addressed that challenge was by building security into the store server instead of focusing too much on the end point itself.

To help drive strategy, innovative retailers understand that risk management is a vital customer experience and revenue opportunity, and look for new ways to turn cybersecurity preparedness into a competitive advantage. To accomplish this in the face of today’s many security challenges, digital capabilities need to:

  • Protect cardholder, company, and partner data
  • Protect brand and reputation
  • Mitigate theft and fraud
  • Secure physical and digital assets
  • Simplify regulatory and process compliance

The common perception is that security is an enormously complex problem to solve. To combat this challenge, retailers need to simplify security deployment by providing a manageable, modular methodology, mapping each threat to the retail branch with corresponding security capabilities, architectures, and designs. Reducing the amount of vulnerable data stored, as in Stone’s example, is an important step.

And given the rapid evolution of attack methods, a retailer’s security posture has to include better visibility into the IT environment and practiced plans for responding quickly to a breach.

76 percent of retailers Cisco surveyed said security/cybersecurity was the most important IT skill.A current obstacle to achieving this vision is the lack of available IT security talent.

According to a recent Cisco study on IT Talent, 70 percent of the 600 IT and business decision makers surveyed said that the most important technology skills or expertise to have within IT is security/cybersecurity.

But that percentage is even higher for retailers. Although it’s a small sample, 76 percent of the 46 retailers Cisco surveyed said security/cybersecurity was the most important skill.

While those are very important skills for IT to have, some organizations may wonder how they are going to get those skills. Of the 46 retailers in Cisco’s IT Talent study, 89 percent say they are going to train their staff, while 11 percent are going to hire — a high reliance on training compared to the entire sample which found 78 percent were going to train, and 22 percent are going to hire.

But again, creating the right vision and finding or training the right people to execute it offers a great payoff for retailers. As Stone summed it up, “If I can make it difficult to get in my place, maybe they go to the next retailer and ignore me for a while.”