In recent years, the retail industry has become a primary target for hackers. According to research, retail executives are experiencing 32 security breaches a year (slightly more than the global average), and this is likely to have gone up post-pandemic. Brand damage after a security breach can be devastating. Protecting the brand from cyber threats as well as supporting investments to transform the business is an immense challenge, putting acute pressure on Chief Information Security Officers (CISOs).
Research also shows that 82% of retail executives are, on average, confident about their cybersecurity capabilities; yet out of 33 cybersecurity capabilities, retail is high performing in only 19. There seem to be some gaps in what retailers know they should be doing about security and what they are doing. We’ve compiled a list of what we consider the top 5 security challenges for retailers and offered some advice on how to tackle them:
1. Securing the shopping experience
Retailers are striving to build an increased understanding of customer preferences and behaviours so that they can deliver up-to-date product, pricing, order and inventory information across channels. They want to deliver the same customer experience regardless of the location or touchpoint all in real-time. To do this, several security challenges need to be addressed.
Legacy applications are usually insecure, expensive to operate, and hard to upgrade (take POS and payment systems at stores as an example). Interfacing with customers through multiple channels means your applications need to be integrated securely, which requires an effective and Secure Software Development Life Cycle (S-SDLC). Your customer data needs to be protected and governed in accordance with applicable global and local regulatory requirements. Cloud security is also critical here as there will be significant convergence and enablement with cloud technology and services. This should all be managed by strong governance programs integrating multiple lines of business, security, IT and, very importantly, third parties. A secure “systems acquisitions process” will help establish a new way of working and any changes that may come up.
2. Robust security must underpin new ways of working
One of the big focus areas for retailers is empowering their employees (in store, remote, back office, at distribution centers, at headquarters) to enable new ways of working. This includes things like task management tools, scheduling and training as well as secure communication channels no matter where the employee is located. This combination of distributed workforce in both people and locations increases the need to integrate applications and assets that are not owned by the company.
This will require robust security on all fronts so that the distributed workforce is secure. It means monitoring for malicious activity, across devices, locations, and cloud services with quick identification and response, especially given the high staff turnover ratio in retail business. Enabling these new ways of working, also opens up other security concerns including the management of personal and sensitive data like payroll and health.
To address these issues and to make headway on their Zero Trust journey, retailers need to ensure that they have strong Identity and Access management solutions in place that will complement their IoT and Operational Technology (OT) manufacturing and supply chain processes. Building security into future planning, accounting for the next-gen employee, and addressing the risks of emerging technology and your partners is essential. A good program addresses these areas with strong monitoring, response and threat detection capabilities, and pays special attention to cloud security programs.
3. Securing the supply chain
As retailers secure the shopping experience, they also need to secure the supply chain. Retailers can build out a flexible and resilient supply chain by creating a centralized system to gather and assess real-time information. But this can mean you are introducing risk though connectivity and data sharing with organizations whose security you don’t manage directly (suppliers, 3PLs, last-mile delivery companies, etc.)
One way to reduce the risk is to put in a place a strong, third-party risk and governance program that addresses security and compliance. Technical aspects of these programs should limit access to data, which is further enhanced with strong access controls. The use of good identity management and Zero Trust models provide increasing benefits, as well as build for a secure future-state. This is in addition to the baseline security controls and processes that should already be in place.
4. Strong response, resilience
Good monitoring means fast detection, but the ability to respond to events is when proactivity meats protection. During a response, limiting impact and executing recovery are the most important things. Retailers should have compressive incident response plans with likely scenarios, these should be tested regularly with all parties not just the IR & SOC teams. Retainers are necessary if not housing your own IR staff (and don’t underestimate the skills required), trying to contract during a breach is not ideal and you may not be able to begin recovery for weeks without one.
The cost in having a robust incident response plan (IRP) with strong security operations, business continuity, disaster recovery and incident response capabilities packaged up is lower than paying ransomware, loss of operations or impacts to reputation. Build strong, test often and continuously improve.
5. Plugging the security skills gap in your organization
Like many other sectors, retailers are suffering from a lack of in-house security skills. According to Forrester, 79% of retail and consumer product companies from the Fortune 500 have a dedicated CISO with a public presence. But the study also shows that CISOs seek external opportunities rather than waiting in line to be promoted, resulting in a talent drain.
To address the skills gap, look at helpdesk and support staff – people that already have a technology background as potential security staff. Give your internal employees an enterprise path and yourself a way to build out your security capability. Hire entry level security staff and train them, invest in protecting your business and the industry. In cybersecurity often it’s critical look at the ability to do the work rather than experience with it. Education and experience can be important, but the #1 factor is ability to do the job. Antiquated hiring practices will have retailers missing out on great security staff. This also means revaluating your roles and job descriptions, ensure you are asking the right requirements for the right roles and not creating “unicorn” positions. If you are unsure, engage with a third party (like Avanade) to help evaluate your staffing model and security operations.
It’s hard to overstate the seriousness of security for retailers. It seems like every week there’s a new story about millions or billions of customer records being hacked and exploited. It is a clear and present danger and it’s essential to stay current.