Just 29% of retail employees can identify best practices in preventing common cyber and data privacy incidents, according to the 2017 Privacy & Security Awareness in Retail Report from MediaPro, which provides security awareness training for retailers and other businesses.
The report, based on a survey of 850 retail employees, tested employee knowledge across eight risk areas, including identifying phishing attempts, safe social media use and incident reporting. Based on respondents’ answers, MediaPro assigned them a risk profile of “Risk,” “Novice” or “Hero,” indicating the survey-taker’s privacy and security awareness IQ. Retail employees scored poorly in many key risk areas, with scores not much better than a typical letter grade C in school, while employees in several other industries were graded in the A range.
“Simply being PCI compliant is no longer enough for retail companies amid the countless cyber risks they face,” MediaPro Managing Director Steve Conrad said in a press release emailed to Retail Dive. “The research presented here and done by others in the industry demonstrates that retail employees need to know more than PCI best practices to keep sensitive customer data safe.”
Yes, these observations about how poorly trained retail employees are to handle common security and data privacy threats and incidents come from a company that would be more than happy to train retail employees how to better handle common security and data privacy threats and incidents. However, many other reports (which Mediapro cites in its report) have identified how big the security threat to retail is becoming, and some sources have suggested that adhering to PCI security standards doesn't necessarily turn your enterprise into Fort Knox.
One of the reports MediaPro quotes is from the Anti-Phishing Working Group, which has said that retail is the most-attacked industry sector. Another report from the Ponemon Institute said retailers face eight cyberattacks per year on average. The problem is real, and that can't be pointed out often enough.
Fortunately, retailers and payment companies are fighting back, trying to protect themselves and their customers by investing in an array of technologies such as EMV, anti-fraud systems (some of which use artificial intelligence) and more recently biometrics, among others.
However, at a fundamental level, retail is a people business, and security investments must be made at that level, too. Hard-working, helpful and positive-thinking retail employees still can provide better, more personal customer experiences than an e-commerce site sometimes can — if they put their minds to it. By the same token, if employees are not properly trained and aware of how to handle security and privacy incidents, their lack of understanding could lead to huge revenue leakage.