Protect Your Retail Business from Cyber Crime

While in-store computer systems and consumer-facing websites are a boon for retailers and their customers, the data they collect and maintain — credit card numbers, personal addresses, and other types of sensitive information — makes them a target for cyber crime.

With this ever-more sophisticated and increasing cyber risk, come obligations —to your customers’ privacy and to keep up with a multitude of global and local regulations governing those obligations.

Despite the best intentions of a retail entity, cyber breaches can happen. Here’s a primer on cyber crime — and some tips on how retailers can mitigate that risk.

Retail Data Security Dangers in Brief

To cybercriminals, data is profit. Hackers use vulnerabilities to gain access to a system, using methods and software that are ever changing and ever more sophisticated. Here are a few terms that retailers should know:
 

1. Phishing —  One of the simplest and most common cyber crimes, this relies on an employee clicking into a phony email. This then releases malicious software (malware) and allows bad actors to access the company’s systems.
   
   
2. Denial of service (DDoS) attack — Also employing the use of malware, these attacks overload and shut down a retailer’s website to enable access to the system and its data.
   
   
3. Ransomware — Software released into the system to shut it down and take it “hostage.” The cyber criminal then demands ransom (generally in untraceable crypto currency) in exchange for providing a key to “release” the system.

What all of these have in common is that they disrupt business and can cost retailers hundreds of thousands of dollars in lost revenues, legal expenses, fines, and reparation costs. Reparations usually necessitate not only technical and financial experts, but also public relations professionals, because of the potential damage to customer trust and brand loyalty. In all, the resourcing and the expense can be enough to seriously cripple or even shut down a retail business.

Cyber Security Risk Management Advice for Retailers

Of course, the best defence against cybercrime is to be on the offence. Here are some tips to protect against this ever more present and growing threat:
 

1. Diligently manage your data
   Create a data map and a data retention policy that allow employees to understand what data your organisation collects and maintains, how long it should be kept, etc. This is crucial information for risk assessment and, in the event of a breach, a critical part of a cyber response plan.
   
   
2. Secure your network
   You have an obligation to take defensive measures to protect your retail systems and your customers’ personal and financial information. Data security measures include:  installing two-factor authentication for employees and customers; using chip-enabled card technology; and employing end-to-end encryption.
   
   
3. Understand the regulatory landscapes
   A retailer’s regulatory burden can be complex and varies greatly depending on the products, the physical locations of the business, and where its customers are located. Globally, the regulations are changing as quickly as the cyber threats. Understanding the specific laws and regulations to which your operation is subject is critical to ensuring compliance and avoiding sanctions or fines.
   
   
4. Choose your vendor partners carefully
   Outsourcing part of your operation may not outsource your liability. If your vendors are exposed, you may be exposed and ultimately liable for any loss, so it is important to choose partners who demonstrate strong cyber vigilance and who invest in a comprehensive cyber insurance policy.
   
   
5. Educate your employees
   The majority of retail cyber breaches originate internally. Poor employee cyber hygiene — like repeating passwords, email laxity, and failure to use a secure internet — is a proven cause. Written and enforced cyber security policies and regular staff training can greatly lower this risk.
   
   
6. Have a cyber response plan and team in place
   When the worst happens, knowing what and who your resources are can mean the difference between quick and efficient response time, and excessive business days and profits lost. The response team may be both internal and external — I.T. staff, risk manager, cyber response consultant, forensic accountant, insurer, crisis P.R. team, etc.
   
   
7. Invest in cyber insurance with an expert partner
   A global insurance company with both retail and cyber expertise can help assess and manage your risk, customise a policy aligned with your business, understand local regulations, provide resources to train your employees, connect you to cyber response and reparation professionals — and, of course, mitigate any business losses or expenses.