Data Security: Retail Industry

A few years ago, I complained about visiting multiple stores to find a single outfit that I liked. Now, it’s rare that I visit a brick and mortar store, as goods and services are increasingly being sold online. The pandemic has also played its part by pushing those without a digital platform to embrace an online presence.

Currently, with an online presence a necessity, it’s no surprise that the retail industry is quite sought after by cybercriminals. And this is on top of the already high levels of data security threats faced by retail companies given they hold vast amounts of PII, and even bank details, of their customers.

According to a survey by PwC, the retail sector suffers an average of 4,000 data security threats every year. Also, 16% of all companies surveyed faced losses of over $1 million due to data security related incidents. Apart from the data security incident itself, the outcome of it is just as bad, if not worse. Another study, this time by KPMG revealed that 19% of consumers would stop shopping at a retailer that had fallen victim to hackers, even if the company took the necessary steps to remediate the issue. Another 33% of the consumers surveyed said they wouldn't shop at a breached retailer for at least three months out of ongoing fear their personal data could be compromised.

So, what does all these numbers say? That data security not only has far reaching implications for retail organizations in terms of the regulatory fines, but it also has other secondary effects like loss of trust and customer base, which are even harder to earn back.

Even with laws like the PCI-DSS which mandate strict standards and processes for the protection and confidential handling of PII and PFI, compliance doesn’t ensure one hundred percent data security, and hence isn’t solely enough to protect retail companies from cybercrime.

Challenges

Let’s go through some of the major data security challenges faced by the retail sector:

  • Malware attacks

Malware attacks are very common in the retail sector, especially those caused by ransomware. Ransomware works by preventing users from accessing their documents unless they pay a ransom. There is also a more advanced version of a ransomware called crypto ransomware that scrambles files and renders them unreadable without a decryption key. A report by network security firm SonicWall states ransomware is the payload of choice for malicious email campaigns - ransomware attacks on businesses large and small reached a shocking 638 million in 2016, up from 2015's 3.8 million. Retailers should ensure the right solutions in place to fend such attacks.

  • Maintaining compliance

Implementing improved EMV (Europay, Mastercard and Visa) technology is still a challenge faced by many retailers. There is also a misunderstanding regarding EMV’s capabilities and the requirements of PCI DSS. PCI Standards – particularly PIN Transaction Security – are vital for protecting cardholder data entered at the point-of-sale and onward through the payment system. PCI Standards acts as an essential compliment to EMV chip technology by addressing different aspects of payment security. Retailers shouldn’t confuse both as scopes of data protection are different.

Since retail companies handle large volumes of consumer data, compliance to privacy compliance laws like the GDPR or the CCPA also becomes necessary to avoid a lawsuit.

  • Third-party attacks

The data breaches of Target and Home Depot, two of the major breaches in the retail industry, were caused due to a result of third-party attacks. As improvements in technology enhance the retail supply chain leading to faster and more convenient shopping, it isn’t without its risks. The threat of a data breach becomes higher in a retail supply chain due to the increasing connectivity between the retailer and his many third-party networks.

Apart from strong security measures, reliable activity monitoring and breach reporting technology is also necessary.

  • Human factors

Given that the retail industry hires a large number of unskilled labour, there is a chance that a lot of data security incidents could be caused by human factors. According to a whitepaper by security software firm Trend Micro, 91 percent of all cyberattacks begin with a “spear-phishing” email targeted at a specific individual within an organization. Research reveals that less than one-quarter of respondents consistently deny unknown links sent to them via email or social networks. Another shocking figure - only 39 percent of employees surveyed receive ongoing security awareness training or advice at their work more than once per year.

It isn’t enough to just have a good security system in place. Employees must be educated about the different data security risks and how to handle them.

  • Internet of Things (IoT)

The potential of IoT is massive in the retail industry. One example would be the integration of in-store cameras and sensors with visitors’ smartphones. Although, numerous devices connected to the web also means a higher risk of having unsecured access points. Without properly shielding these entry points, it’s similar to giving hackers free access to all your data.

  • Inefficient IT infrastructure

On the level of security in regard to the level of security of the fuel retail industry compared to others, Aron Molnar, security expert and a leading European hacker, commented “Digital organizations that have digital services as their core business; they are usually aware of their security and IT risks. There are industries that have high standards due to legal requirements such as banking and health. Others are aware of their situation due to the large quantities of data they handle, like a hotel chain. Most of the others have no real digital presence and are often not aware.”

This holds true for any retail company – a digital presence may be one of the reasons for cyber-attacks, but the lack of one leads to greater problems.

Solutions

Technology is largely the cause for cybercrime, but technology is also what is needed to thwart it. People and processes are not enough; organizations should implement the right technology in place to build a strong data security posture.

  • Monitor user activity for all actions performed on sensitive data in your enterprise.  
  • Choose from different methods or select a combination of techniques such as encryption, tokenization, static, and dynamic data masking to secure your data, whether it’s at rest, in use, or in motion. Before this step, sensitive data discovery is a must, because if you don’t know where your data is, how will you protect it? 
  • Deploy consistent and flexible data security approaches that protect sensitive data in high-risk applications without compromising the application architecture. 
  • Your data security platform should be scalable and well-integrated, which is consistent across all data sources and span both production and non-production environments. 
  • Finally, ensure the technology you’re implementing is well integrated with existing data protection tools for efficient compliance reporting and breach notifications. 

Conclusion

Technologies , deep learning and the like may be cornerstone to enhancing business processes and improving defence against cyber-attacks. But as technology grows, cybercrime is growing at an even faster pace. Retailers, considering the vast amount of consumer and employee data they possess, should pull out all stops to ensure a robust data security platform to avoid the devastating consequences of cybercrime.

About MENTIS

The MENTIS platform comprises a comprehensive solution that protects sensitive data along its lifecycle in the customer’s systems - providing capabilities from sensitive data discovery, masking, and monitoring to data retirement. Engineered with unique, scalable architecture and built-in separation of duties, it delivers comprehensive, consistent, and reliable data and application security across various data sources (mainframe, relational databases, unstructured data, big data, on-premise, and cloud).

How a top food retail chain in the US is effectively handling data security

Find out how we masked sensitive information across several data sources in multiple franchises for one of the largest Fast Food Restaurant Chains in the US. Click here to read more: MENTIS Customer Success Stories – Discovery and Masking for a Top Food Retail Chain in the US