Why retailers' cybersecurity vulnerabilities could hurt holiday sales
Merchants keep falling prey to cybercrime, but retail executives keep diverting attention and funding elsewhere. The problem is it could cost them customers — in some cases, forever.
Vera Bradley is just the latest retailer to fall victim to cybercrime.
The women's accessories retailer revealed earlier this month that payments systems at its brick-and-mortar stores were hacked, and that customer payment cards used at those locations this summer may have been compromised. Vera Bradley admitted it doesn't know how many cards have been affected, and continues to work with an unnamed computer security firm to determine precisely what happened and how far the breach's impact reaches.
Vera Bradley joins the ignominious ranks of Target, Home Depot, Eddie Bauer and other retailers stung by cyber thieves. Chances are Vera Bradley isn’t the last in line to fall prey, either: Retailers experience the most cyber attacks of any industry sector — three times as many as the previous top target, the financial industry — according to information and communications technology firm NTT Group's 2016 Global Threat Intelligence Report.
The repercussions can be catastrophic. According to professional services firm KPMG’s 2016 Consumer Loss Barometer, 19% of U.S. consumers said they would stop shopping at a retailer that had fallen victim to a cybersecurity hack, even if the company took the necessary steps to remedy the issue. Another 33% said concerns over additional exposure of personal information would prevent them from shopping at a breached merchant for at least three months.
Asked by KPMG which factors would keep them from revisiting a breached retailer or delaying a return, consumers most commonly cited the absence of a decisive plan to prevent subsequent attacks. Yet a shockingly small number of retail senior executives surveyed by KPMG are making cybersecurity a priority: 55% admitted they haven’t invested any capital funds in cybersecurity protection over the past 12 months.
“Despite the focus that’s been on [cybersecurity] post-Target and others, only 58% of retailers said that there’s a leader in the organization whose sole responsibility is information security,” KPMG’s Principal and Retail Cyber Security Leader Tony Buffomante told Retail Dive. “That to me is a staggeringly low number given the exposure that’s been on this issue for quite some time.”
KPMG has spent years advising executives across industry verticals on cybersecurity risks and safeguards.
“The big Target breach really shined a light on cyber in the boardroom and in the retail sector, in particular,” Buffomante said. “There was a lot of momentum from our clients — not only in the U.S., but globally — to put some emphasis on the cyber experience. So we saw a major uptick in board education and executive education, we saw an uptick in what we call maturity assessments of programs, and we certainly saw a lot of gaps in programs to meet the evolving threat that’s out there today in the retail industry.”
But many retailers have advanced their cybersecurity efforts only so far, upgrading and fortifying their IT systems to meet payment card industry (PCI) security standards but rarely stretching beyond those minimums.
“The drumbeat you continue to hear in the boardroom — we’ve termed this ‘cyber-fatigue’ — is the directors of these organizations saying, ‘We’ve been talking about this every quarter. Aren’t we done yet?’” Buffomante said. “What’s been a challenge for retailers in particular is that they’re trying to prioritize their spending and growth aspirations with proving the value of those efforts. ‘How can I really prove the return on investment? Is my risk posture really lowering?’ Therefore, after some of these assessments are completed, they’re seen as a bit of a one-time exercise. That doesn’t necessarily drive long-term cultural or organizational change around an information security or cybersecurity program.”
The NTT Global Threat Intelligence Report underlines the issues plaguing retailers who fail to buffer their systems with strong executive leadership and constant vigilance. Researchers found that many business vulnerabilities were sitting on corporate IT systems for years, just waiting to be exploited: Nearly 21% of vulnerabilities identified by NTT were more than three years old, more than 12% were over five years old, over 5% were more than a decade old, and some dated back as far as 16 years.
“We need recognition from retailers that security is more than compliance, and that PCI isn’t the be-all, end-all of being quote-unquote ‘secure,’” Buffomante said. “We need recognition that this is about broader risk management, and it really does have an impact on the bottom line. It’s not just a compliance exercise that we need to go through.”
Matters of privacy
Corporate indifference is just one part of the problem. Consumers aren’t exactly storming retailers with pitchforks and torches to demanding change, either. Don’t forget that while 19% of U.S. shoppers said they would boycott a retailer after a cybersecurity hack, the remaining 81% expressed no such reservations, even if a third would be cautious about returning right away.
“Consumers over the last several years are getting a little more comfortable in the fact that ‘[A security breach] is going to be a pain for me, I need to get my credit cards changed and do some other things, but I’m not going to be liable for these expenses. They’ll take care of me.’ They see it as a fact of life,” Buffomante said. “However, what’s more interesting to me is that less than half said they’d immediately come back. In a world where [retailers] are scrambling for month-over-month comp store sales and the margins are so tight, for consumers to say they’re not going to come back in three months or six months, particularly around the holiday shopping season where we’re making 80% of our revenue, is a huge, huge consideration that goes beyond the 81% who’ll shop with you again, particularly in a business as cyclical as retail.”
Consumers are concerned about how their personal data is collected, stored and used, for that matter: 52% of shoppers surveyed by KPMG say they are uncomfortable with shopper personalization tactics, stating they would prefer that retailers do not track their individual shopping habits and information.
Buffomante maintains that retailers must more clearly articulate their information collection and security policies and procedures, whether through customer service applications or other channels.
“We need increased transparency between the retailer and the consumer around what is really important,” he said. "[Retailers] also need some communication back the other way, whether through customer service or other avenues, to provide management and executives some additional data points to say, ‘Our customers are dialoguing with us through our website, through our customer service apps, etc. and telling us, ‘This is what’s really important from a privacy perspective.’' For example, notifications on how I use my data. Enhanced dialogue around this issue and how important it is would be key to draw a line in the sand.”
And if retailer boards and executives still need additional reasons to rethink and revamp their security practices, consider this: Dutch security researcher Willem De Groot recently stated that almost 6,000 online shopping sites have been hacked since he began tracking incidents last year, with hackers leveraging malicious software to access customer payment details. In a blog post, De Groot — co-founder and head of security at Dutch e-commerce site byte.nl — said that multiple culprits likely were able to skim credit cards used at web storefronts run by retailers, consumer brands, automakers, government entities and other parties. De Groot suggested that online shoppers only enter their payment card details through third-party providers like PayPal with dedicated security teams, as opposed to individual sites that may not have staff specialists on the lookout for hacks or bad code.
The bad press and damning statistics aren’t going away until retailers make some changes — changes that must begin at the top.
“We’re not saying by any stretch that retailers should stop all growth and put all their funding into cybersecurity and so on,” Buffomante said. “But we are saying you need to take a look and recognize the risks to your business — financial, operational and reputational — and embed cyber risk into your broader enterprise risk management program, and make some key decisions based on that that takes all of this into consideration. When we have those smarter conversations at the management level and at the board level, that changes the game.”
This story is part of our ongoing coverage of the 2016 holiday shopping season. You can browse our holiday page for more stories.
Follow Jason Ankeny on Twitter