As technology continues to reshape retail, security threats come hand-in-hand.
With retailers rolling out new payment processes, digital experiences for customers, and other modern enhancements to the retail—the need to ensure consumer privacy and protect sensitive business information becomes even more critical.
Data breaches happen on a seemingly regular basis and consumers are rightly concerned about securing their personal details in retail transactions. Retailers want to be seen as worthy of customers’ trust and reliable when it comes to delivering secure transactions for them.
Merchant service providers and other third parties are looking to assist retailers in achieving security in their customer transactions and overall business processes. There’s a lot at stake for each party.
So we asked a few experts to share their thoughts on the security landscape in retail technology at the moment. Here are the insights that they shared with us:
For Chelsea Brown, CEO & Founder of Digital Mom Talk (and a certified cybersecurity consultant), working in the retail industry means “paying very close attention to securing our customers’ data.” Brown noted that while there’s a lot her team can do to control employee access to customer information and even purge data from data harvesting and selling sites, working with third-party providers can present significant issues.
“For many companies like mine our biggest concern is the third party services and software we use being a data breach point for our businesses,” Brown noted. Her team suffered some minor data breaches through third-party software already this year. While the issue was quickly handled, Brown noted that many companies don’t even look into breaches and don’t always find ways to effectively secure their data.
Brown also noted that employee education is critical to preventing and dealing with security threats in retail tech. “If our employees hadn't been educated in these practices it could have cost us a breach that may have compromised our customer files,” Brown shared regarding the third-party data breach at her company. If employees aren’t equipped with the know-how and tools to
According to Brown, there are solutions out there, including more secure software, paper backups, and encryption protocols.”We're not just keeping back-ups of our sensitive information in the cloud anymore. We're keeping them under lock and key in good old paper; that's harder to get to. Even more, we're making sure that our system is encrypting transactions on top of the exceptions our third-party software are using.”
Such measures are imperative for retailers operating virtually 100% online, advised Brown. At the same time, brick and mortar retailers can benefit from more secure practices as well. For stores that accept payments through third-party services such as Stripe, PayPal, and Apple Pay, finding ways to work with those services to protect against phishing scams and spam that access email addresses linked to those accounts that can cause chain reaction data breaches is extremely important.
For an ecommerce retail expert like Bob Buffone, CTO at YOTTAA, it’s all about combating threats to retail websites.
Online companies are bombarded with all manner of security threats such as “Bots, DDoS, and other security attacks that increase cart abandonment, negatively impact shopper experience, and decrease conversions,” according to Buffone.
Much of the challenge for retailers comes from striving to have full visibility and control over the traffic coming to their sites. Buffone mentions that comprehensive security controls should be in place to defend against potential attacks.
Where are those attacks coming from? Buffone shared that “Today bad bots make up 30% of the traffic on a retailer’s site.” That’s a pretty remarkable figure as those bots can range from seemingly beneficial search engine spiders to more questionable bots from competitors or comparison engines to malicious bots such as denial of service attacks.
Regardless of the intent of the bot, the impact is that “bots represent a large volume of requests that can draw resources away from legitimate visitors and slow or even block the website experience,” according to Buffone. Taking steps to align teams such as ecommerce, digital marketing, and IT to work together on monitoring site traffic, blocking attacks, and gain visibility into your traffic is one key step towards securing your business site.
Overall, Buffone encourages retailers to adopt an omnichannel approach to their security operations. With silos between brick and mortar and online retail falling and the rise of programs like BOPIS (buy online, pickup in-store), Buffone suggests that a similarly holistic approach that merges strategies for security between the two slices of the sector is needed.
The Internet of Things (IoT) is a major area where security threats loom for retailers, according to Raullen Chai, CEO of IoTeX.
While it’s easy to think that the IoT is bringing nothing but benefits to retail (think loss prevention tags, electronic locks, video cameras, etc.), it also exposes retailers to new threats. New data vulnerabilities and access controls can be hacked. “Growth in the number of IoT devices is also met with rapid growth in attack vectors and malicious actors,” according to Chai.
The big problem? So-called smart devices aren’t that smart.
Chai broke it down for us: “From the device side, many of today’s ‘smart devices’ are not smart at all, and are not built with adequate security features. There is a gap between the security and privacy provided by existing devices and those that are needed to truly secure these devices, which is an opportunity for hackers.”
Looking at the emerging cybersecurity landscape in Europe and the United States (including new consumer data laws such as GDPR), Chai urges retailers (and consumers) to shift towards technologies that “incorporate privacy by design.” Chai’s innovative idea is to transform the Internet of Things into the Internet of Trusted Things. He believes we must “ensure we can trust our devices to not leak data, respect our privacy, and work for us.”
In terms of solutions, Chai suggests that developers of IoT devices should incorporate secure hardware into their products and companies should be more “proactive in adopting new, trusted technologies” such as blockchain. Together, secure hardware and blockchain have the potential to offer true end-to-end security, according to Chai.
Sometimes security breaches in retail are basic mistakes.
Other times, they are intentional and malicious acts that put retailers and customers in danger.
Oleg Mogilevskii, Market and Research Analyst with CyberInt, encourages retailers to protect themselves and their customers against cybercrime that is becoming ever more sophisticated as retail evolves. This particular brand of threat can “cause business disruption, revenue loss, and turnover due to reputational damage,” according to Mogilevskii.
From compromised customer and employee data and account takeover to phishing and exposed cloud infrastructure, the nature of cybercrimes can vary greatly. That’s why, according to Gartner, by 2022, 70% of digital businesses will merge the budgets and leadership of their fraud and security teams. This shows us that such threats cannot be addressed effectively in isolation.
Mogilevskii warns that cybercriminal gangs are increasingly organized and “moving on from simple ‘smash-and-grab’ attacks...now using tactics similar to ones used by nation-state threat actors.” These cybervillains are “exploiting digital transformation to find multiple entry points: third-party partners, cloud, customer channels, business operations and IT,” shared Mogilevskii.
Specific to retail, some of the methods favored by cybercriminals include selling customer data in the deep web, outright monetary theft through online transactions and point-of-sale environments, and buying and selling assets for fraud (vouchers, customer accounts, promotion codes, etc.). These sorts of attacks happen “low-and-slow” and involve cybercriminals gaining persistent access to compromised data over time, which makes detection difficult.
While the onslaught of cybercrime in retail may seem daunting, Mogilevskii offers a path forward for retailers. He suggests an approach to security that involves:
The challenge of cybercrime in retail is certainly growing, yet not insurmountable. With the right education and action plan in place, retailers and those that support them can thrive amidst digital transformation while staying secure.
From employing secure third-party services and locking down your website to using trusted connected devices and defending against cybercrime, retailers and the providers that support them have their work cut out for them when it comes to addressing security threats.
All of the experts we spoke to stressed the importance of education about the threats that exist along with developing proactive plans to tackle security threats before they become security nightmares.
The expertise and the knowledge are out there. Many wise retailers are already building up their defenses so their business can succeed and their customers can feel secure when doing business with them.
That’s the way forward in the modern retail landscape.