![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
From a risk and compliance perspective, defense, finance, tech, and healthcare are generally thought of as the \u201criskiest\u201d industries \u2014 but the retail sector is more vulnerable than it might appear. Organized retail crime (ORC), fraud rings, evolving regulations and other challenges all have the potential to cause significant disruption in the retail sector, and most retailers have invested considerable time and resources to mitigate them. Unfortunately, today\u2019s retailers need to recognize that the industry has become a prime target not just for regular criminals but for cybercriminals, too.<\/p>\n
Retailers don\u2019t always take cybersecurity risk as seriously as they take other forms of risk. Business leaders don\u2019t always want to approve the budget needed for another cybersecurity solution they don\u2019t really understand, and they may not want to implement new security procedures that create unnecessary friction or don\u2019t help sell widgets.<\/p>\n
That\u2019s a mistake \u2014 one that risks leaving the retail industry perilously exposed. But no store would tolerate that level of exposure with its credit card readers \u2014 or worse, with its food safety protocols. The reality is that cyber risk is just as serious as financial risk, food safety risk and other dangers \u2014 and it\u2019s time we started acting like it.<\/p>\n
How Retailers Address Standard Risks<\/strong><\/h3>\nConsider the most common risks retailers face. Naturally, shoplifting is the first thing that comes to mind \u2014 retail theft is common enough that most stores build an expected level of loss into their bottom line in the form of shrink. It isn\u2019t realistic for stores to catch every shoplifter, but they can (and do) take steps to significantly reduce the ability of ORC groups to operate at scale. Retailers invest heavily in loss prevention personnel, surveillance devices, electronic sensors and other security measures designed to make stealing as difficult as possible \u2014 and they mostly succeed. The National Retail Federation notes that while retail crime is still an issue, progress is being made \u2014 and retailers have been working aggressively to address the problem.\u00a0<\/p>\n
Card skimmers are another common way for criminals to target retailers, and they are regularly found at gas pumps, self-checkout stations, ATMs and other point-of-sale terminals. The FBI estimates that skimming costs consumers and financial institutions more than $1 billion every year \u2014 and while that money may not come directly out of the retailers\u2019 pocket, the blowback can be significant.<\/p>\n
Retailers that fail to regularly check their POS terminals for evidence of card skimmers and remediate the issue immediately may find their card processing fees raised and angry regulators knocking on their door \u2014 not to mention the reputational damage they will suffer. Retailers have standard procedures in place to check for evidence of card skimmers, and an employee who fails to notice (for example) a broken seal on a compromised gas pump can face severe consequences.\u00a0<\/p>\n
Mitigating those risks is important \u2014 but food safety might be the most important of all. There are very stiff penalties associated with poor food safety compliance, and retailers that sell consumables are extremely diligent about checking expiration dates, monitoring for recalls and adhering to industry best practices.<\/p>\n
When Boar\u2019s Head recalled a wide range of deli meats amid a listeria outbreak last year, retailers didn\u2019t just remove the meat from stores \u2014 they closed entire locations for cleaning, ensuring no surface that may have come into contact with the offending products were contaminated (how\u2019s that for product shrink?). When it comes to risks involving product theft, financial losses or food safety, retailers are almost always on the ball \u2014 so why is cyber risk treated differently?<\/p>\n
The Impact of Cyber Risk \u2013 and How to Address it<\/strong><\/h3>\nPart of the problem is that retailers don\u2019t face the same B2B pressures that other businesses do \u2014 they sell directly to customers, who are much less likely to ask for a clean SOC 2 report or ISO 27001 certification. But that doesn\u2019t necessarily make those compliance frameworks less important \u2014 both provide helpful guidance for securing data in the cloud, where retailers are almost certainly storing valuable customer information.<\/p>\n
Similarly, retailers and other B2C businesses may feel less urgency around breach notification, but recent updates to SEC guidelines on cyber risk management mean breaches now need to be disclosed in a timely manner. Retailers that lack the tools to engage in reporting and documentation increasingly risk running afoul of regulators.<\/p>\n
Retailers \u2014 like nearly all modern businesses \u2014 gather a significant amount of data. That data is valuable: it helps businesses learn more about their customers and improve the quality of their offerings. But it also represents a high-value target for cybercriminals looking for personal information, payment data or credentials they can leverage to compromise other, more valuable accounts (unless you use a password manager, there\u2019s a pretty good chance you didn\u2019t bother thinking of a unique password for the rewards program at your local grocery store).<\/p>\n
Even on its own, customer data can reveal quite a bit. There\u2019s a reason targeted advertisements are as effective as they are, and it makes that data extremely interesting to cybercriminals interested in identity theft and other malicious activities.<\/p>\n
The risks at play are not theoretical \u2014 they are quantifiable. Card skimmers may cause $1 billion a year in losses, but cybercrime causes more than a dozen times that number. Retail is the fourth-most targeted industry, trailing only finance, professional services and technology, and the average cost of a data breach in the retail industry is now $3.48 million \u2014 a jump of more than half a million dollars from the previous year.<\/p>\n
Today\u2019s attackers see retailers as an attractive target, one that may be easier to crack than healthcare providers or financial institutions with more protections in place. If retailers aren\u2019t investing in security solutions and don\u2019t see the value in adhering to compliance frameworks, make no mistake \u2014 attackers will smell blood in the water.<\/p>\n
So what should retailers do about it? If recognizing the value of risk management is the first step, the second step is implementing solutions that allow retailers to understand how certain risks impact their digital environments. That means having a centralized way to view security risks, compliance risks and other factors that can impact the organization\u2019s overall risk profile. By improving visibility into how those risks can potentially affect the organization, it becomes easier to quantify the impact of different decisions\u2014and that can help security, IT and risk management teams speak the language of business.<\/p>\n
By approaching business leaders with hard numbers about the financial impact, regulatory implications and other factors when seeking to implement a new security solution, adhere to a new compliance framework or establish a new risk management process, security teams can help demonstrate their value to the business\u2019 bottom line.<\/p>\n
It\u2019s Time to Treat Cyber Risk Like Food Safety Risk<\/strong><\/h3>\nNo retailer would ignore the threat of credit card skimmers or food safety risks \u2014 but many fail to treat security and compliance risks with the same level of import. Unfortunately, poor risk management practices can be just as damaging as ORC, fraud rings or food safety violations \u2014 if not more so.<\/p>\n
Cybercriminals increasingly recognize that retailers don\u2019t protect their digital environments with the same level of care as financial institutions, healthcare organizations and other traditional targets \u2014 despite having mountains of data that are every bit as valuable. With the financial impact of security incidents becoming more severe with each passing year, the time for retailers to act is now.<\/p>\n
Strong risk management isn\u2019t optional for retailers anymore \u2014 in today\u2019s threat environment, it\u2019s important to know where your vulnerabilities lie in order to make truly risk-informed business decisions. By managing risk and compliance in a holistic manner, retailers can safeguard their digital environments and avoid becoming easy prey for attackers seeking a quick score.\u00a0<\/p>\n
\nNick Kathmann is <\/em>LogicGate<\/em>\u2019s Chief Information Security Officer (CISO). With more than 20 years of IT experience, he has spent the past 18+ years helping enterprises of all sizes strengthen their cybersecurity postures. He has built and led several teams delivering cybersecurity solutions for complex, business-critical environments ranging from SMB to Fortune 100 companies, based on-premises in traditional data centers and in the cloud. He is also experienced across a variety of specific sectors, including healthcare and financial services. Prior to his current role, Kathmann served as director of cybersecurity at Dell Technologies, overseeing the internal cybersecurity program, among other responsibilities.<\/em><\/p>\n<\/p><\/div>\n
Part of the problem is that retailers don\u2019t face the same B2B pressures that other businesses do \u2014 they sell directly to customers, who are much less likely to ask for a clean SOC 2 report or ISO 27001 certification. But that doesn\u2019t necessarily make those compliance frameworks less important \u2014 both provide helpful guidance for securing data in the cloud, where retailers are almost certainly storing valuable customer information.<\/p>\n
Similarly, retailers and other B2C businesses may feel less urgency around breach notification, but recent updates to SEC guidelines on cyber risk management mean breaches now need to be disclosed in a timely manner. Retailers that lack the tools to engage in reporting and documentation increasingly risk running afoul of regulators.<\/p>\n
Retailers \u2014 like nearly all modern businesses \u2014 gather a significant amount of data. That data is valuable: it helps businesses learn more about their customers and improve the quality of their offerings. But it also represents a high-value target for cybercriminals looking for personal information, payment data or credentials they can leverage to compromise other, more valuable accounts (unless you use a password manager, there\u2019s a pretty good chance you didn\u2019t bother thinking of a unique password for the rewards program at your local grocery store).<\/p>\n
Even on its own, customer data can reveal quite a bit. There\u2019s a reason targeted advertisements are as effective as they are, and it makes that data extremely interesting to cybercriminals interested in identity theft and other malicious activities.<\/p>\n
The risks at play are not theoretical \u2014 they are quantifiable. Card skimmers may cause $1 billion a year in losses, but cybercrime causes more than a dozen times that number. Retail is the fourth-most targeted industry, trailing only finance, professional services and technology, and the average cost of a data breach in the retail industry is now $3.48 million \u2014 a jump of more than half a million dollars from the previous year.<\/p>\n
Today\u2019s attackers see retailers as an attractive target, one that may be easier to crack than healthcare providers or financial institutions with more protections in place. If retailers aren\u2019t investing in security solutions and don\u2019t see the value in adhering to compliance frameworks, make no mistake \u2014 attackers will smell blood in the water.<\/p>\n
So what should retailers do about it? If recognizing the value of risk management is the first step, the second step is implementing solutions that allow retailers to understand how certain risks impact their digital environments. That means having a centralized way to view security risks, compliance risks and other factors that can impact the organization\u2019s overall risk profile. By improving visibility into how those risks can potentially affect the organization, it becomes easier to quantify the impact of different decisions\u2014and that can help security, IT and risk management teams speak the language of business.<\/p>\n
By approaching business leaders with hard numbers about the financial impact, regulatory implications and other factors when seeking to implement a new security solution, adhere to a new compliance framework or establish a new risk management process, security teams can help demonstrate their value to the business\u2019 bottom line.<\/p>\n