Are retailers ready for the next wave of cyber scams?
Knowledge@Wharton staff
Presented here for discussion is a summary of a current article published with permission from Knowledge@Wharton, the online research and business analysis journal of the Wharton School of the University of Pennsylvania.
Following the major cybersecurity breaches from Target, Home Depot, Neiman Marcus, Michael’s Stores and others that made headlines a few years ago, retailers have learned from the weaknesses that were exposed in their systems. But a large number and variety of scams are happening all the time.
“It’s almost like a game of Whack-a-Mole,” said Robert Meyer, Wharton marketing professor and co-director of Wharton’s Risk Management and Decision Processes Center.
The retail space has been particularly attractive to hackers because it’s a low-risk, high-reward crime. David Lawrence, founder of Risk Assistance Network and Exchange (RANE), states, “Attacks can be launched easily, cheaply, remotely, and the risk of prosecution is extremely low. Stolen consumer data is highly valuable and marketable in the commission of identity theft and financial fraud.”
Moreover, the data collected at all stages of the shopping process — from browsing and buying online, opting into mobile ads at a store, posting store check-ins and reviews on social media to paying with a credit card or mobile wallet — is becoming more valuable. Says Denise Dahlhoff, research director at Wharton’s Baker Retailing Center, “More technology and data have many benefits for consumers and retailers, but they also increase the risk of security breaches.”
While steps may have been taken to shore up protections around internal data infrastucture and POS systems, the need to provide third-party vendors with access to store sensitive information opens up retailers to hacks. With little training on phishing scams, malware and viruses, employees at the store level accessing company systems through their own personal devices or surfing the internet on company computers also underscores the vulnerabilities in a retailer’s network.
“Technology is embedded in every company,” says Christopher Yoo, professor of law, communication, and computer and information science at the University of Pennsylvania Law School, and founding director of the Center for Technology, Innovation, and Competition. “Retailers have to reeducate themselves and incorporate a technical strategy, and this requires the attention of the c-suite.”
Discussion Questions
DISCUSSION QUESTIONS: How is the increasingly digital nature of retailing heightening risks of security breaches for stores? What types of investments do you think are necessary to shore up risks?
Poll
BrainTrust
Max Goldberg
President, Max Goldberg & Associates
Ralph Jacobson
Global Retail & CPG Sales Strategist, IBM
Where there is financial data hackers will follow. Every new security system is a challenge to hackers. Retailers need to make cybersecurity a priority, from sales associates to the CEO. Unfortunately, this means higher expenditures at a time when retailers are trying to drive costs out of their systems. But it’s a price that must be paid. A data breach will cost far more than the expense of effective, ongoing security measures.
This is a Whack-a-Mole scenario that no retailer can ever fully be insulated from. There are two primary things retailers need to do and they are not technological in nature, rather procedural:
After that, it’s the obvious importance of having a cybersecurity team that is continually improving and iterating.
Military history provides great examples of “fighting the last war” where once successful strategies and tactics that worked well are no longer effective nor relevant in today’s realities. France’s Maginot Line is such an example.
In today’s digital world, data is the lifeblood of business and with every additional petabyte, exabyte, and zettabyte we are exponentially increasing cyber risks for consumers and retailers. As an industry, there needs to be a much more anticipatory approach to fighting the true hurdle to building brand trust in a sea of technological advances.
Retailers need to harden their store systems similarly to how bank branches have done it for a long time. The issue is that culturally the cost of IT per branch is much lower in retail and the philosophy of security is not as ingrained. Combined with the fact that most retailers have survived breaches (executives have lost their jobs, I can’t think of a retailer that has gone under due to liabilities from data breach), it will continue to be a game of Whack-a-Mole.
This is so very frustrating. Each holiday season we have a new round of retail cyberattacks, followed by hand-wringing about how retailers need to do a better job of protecting key data assets. And we’re about to enter another cycle.
Until boards of directors decide to fund true data protection efforts, we’re doomed to watch this happen over and over.
I cannot think of many aspects of running a retail business these days that are more critical to the success of it than security. New risks will continue to arise as other threats are mitigated. Technologies available today are extremely effective at securing retail businesses, especially since the past six months or so. Advances via cognitive capabilities can actually think and learn as more data is ingested. I believe retailers of all sizes and types can afford to take steps to secure their businesses better than ever.
The best retailers succeed because they are good at selling things, not because they’re good at security, or finance, or real-estate development, etc., so they will always need to go outside their area of expertise to handle these functions. And, of course, it is difficult to plan or hire well when “you don’t know what you don’t know.” What a business — retail or not — MUST do, though, is retain a permanent commitment to security … anyone expecting a “problem solved” moment has already lost the battle.
I see WordPress shopping carts being particularly at risk with so many data driven widgets and database infrastructure. Installing plug-ins helps, but there is no plug-in sophisticated enough to protect you from every cyberattack. They will prevent many plausible intrusions.