More than half of retailers fail to invest in information security
This summer, Home Depot announced it is suing two credit card companies in federal court over security measures it says are prone to fraud. In August, outdoor clothing store Eddie Bauer reported that its in-store cash registers had been hit by malware, following cyber-security hacks in other large retailers.
As cyber-security activity in the retail sector continues to create unrest, customers are justifiably concerned about their privacy.
‘There has been a steady pace of cyber-security incidents in retail,’ confirms Tony Buffomante, US leader for KPMG’s cyber division. ‘The large volume of credit card information in retail is a factor in why retail is lagging when it comes to cyber-security. IT budgets in retail are smaller than other industries and cyber-attackers know this.’ In fact, in a recent KPMG survey, 55 percent of retailers report that they have not invested capital in information security over the past 12 months.
A recent survey by KPMG finds that more than 52 percent of consumers surveyed are not comfortable with shopper personalization and do not want personal shopping habits and data collected by retailers. The 2016 Consumer Loss Barometer Report is based on interviews with consumers and chief information officers, chief information security officers (CISOs), chief technology officers and chief security officers in five industries: financial, technology, mobile, automotive and retail.
The survey finds that 81 percent of executives admit their company was compromised by cyber-attacks over the past 24 months. Given these statistics, retailers must work hard to regain customer confidence and let them know they are doing all they can to protect sensitive data.
The most important thing retailers can do to assuage shopper concerns is to make transparency a regular practice, says Buffomante. Retailers need to let customers know what information is gathered and how it is used, and give them the option to opt out. And if a breach occurs, retailers should let their customers know about it. If companies communicate with customers when a cyber-security problem occurs, the customers will come back.
The survey reports that 20 percent of retail customers say they would cancel their accounts at big-box stores if they were victims of cyber-hacks. ‘If customers are told [by a store] that there has been a cyber-security breach, 80 percent of them will shop [at the store] again,’ Buffomante says. ‘But half of that 80 percent will wait three months to come back, so businesses lose customers in the meantime.’
Organizations should follow three steps in dealing with cyber-security concerns: understand the risk, detect breaches and implement processes to deal with cyber-security risks. ‘We advocate that retail executives understand the special risks to their business as well,’ Buffomante adds.
Governance professionals need to recognize and work to mitigate cyber-attack threats. ‘Make cyber-security a business issue, not just an IT issue, and remember that compliance is not security. Security is much broader,’ Buffomante says.
Cyber should be a standing agenda item for boards. If the board doesn’t have members who are knowledgeable about IT and cyber-issues, it can hire an independent adviser to educate board members about cyber-security and oversee CISOs’ presentations to the board.