Security

Retail Cybersecurity: Tips, Threats & Strategies to Protect Customer Information

Protecting consumer data requires a mix of compliance and security strategies for your retail business.

Ernie Smith is a former contributor to BizTech, an old-school blogger who specializes in side projects, and a tech history nut who researches vintage operating systems for fun.

The retail sector is increasingly defined by its use of data. But collecting data and knowing out how to hold on to it can create problems for management — complications that can turn into liabilities down the line.

Christian Beckner, the National Retail Federation’s vice president of retail technology and cybersecurity, says efforts to improve data security in the retail space have been on the rise for years.

“Ever since some high-profile breaches about seven or eight years ago, there's been a pretty common desire to build outside security teams, to strengthen capabilities against vulnerabilities, to make sure you have the right protections in place,” Beckner says.

Even as the awareness of risk grows, cybersecurity often feels like just another responsibility on top of everything else. But it’s worth taking seriously for the sake of your customers. A Cisco study from last year found that 26 percent of respondents had stopped doing business with a retailer because they felt the privacy of their data was at risk — a higher number than for credit card companies or traditional banks.

As technology’s role in retail expands, proper management of customer data is crucial.

What Types of Customer Data Do Retailers Use?

Consumers primarily use four types of consumer data: identity, descriptive, behavioral and qualitative. Identity data is more generalized information about the customer, while descriptive data covers more in-depth interactions. Behavioral data attempts to cull lessons from other data points to understand why a customer takes one action or another, and qualitative data relies on survey responses and other information gathered from customers directly.

REGISTER: Learn how protecting your customer's data can give your organization a competitive edge in the weekly CDW Tech Talk series. Click the banner below to register.

Together, these data points help retailers figure out what, exactly, their customers are doing. Using data analytics and business intelligence tools, organizations can pinpoint areas of growth and evolution for the business. However, the data that matters most may differ based on the type of retail business.

“There is no one data collection type that will serve all purposes,” says Patty Altman, executive vice president of analytics for NPD Group, a market research firm. “What’s most important is understanding the critical questions being asked and holistically combining the right data sources to provide fact-based answers and solutions.”

Top 2021 Data Breaches in Retail

Data breaches have been on the rise in 2021, in part because of a growing number of phishing and ransomware attacks. The nonprofit Identity Theft Resource Center found that there were 846 breaches in the U.S. in the first half of 2021, compromising the identities of nearly 53 million people. That’s about 76 percent of the total breaches faced for the entire year of 2020

Among the largest retail breaches in 2021 were attacks involving a mobile service provider, an auto manufacturer and a fashion retailer. Perhaps the most high-profile breach, a DarkSide ransomware attack that created gasoline shortages around the country, provided a prominent example of supply-chain disruption.

Supply chain attacks have become a major challenge for NRF’s members, Beckner says. “The major trend over the past year, in addition to all these ransomware attacks, is the number of supply chain breaches. It’s not really you being breached, it’s the third-party software service or application that you’re using,” he says.

Every industry has issues like these with security, Beckner adds, but customer data breaches have a higher profile because of the direct impact to consumers.

“The consequences of that, in a lot of cases, are greater than for other types of incidents,” he says, and could entail reporting to the state attorney general as well as legal liabilities.

Data Security vs. Data Privacy: What’s the Difference?

Along with securing customer data, retailers also have to be mindful of how they use it.

This is an important distinction: While both efforts involve trust, data security represents an expectation that the organization will protect data from theft to the best of its ability. Data privacy, on the other hand, represents an expectation that the organization will use the data in a way that protects the privacy of the individual — not sharing it with others, for example, or getting rid of it after a specified amount of time.

Regulatory concerns have made purging data top of mind for many businesses, including retailers. Rob Hill, president of retail for the NPD Group, emphasizes that it is important to have someone in charge of compliance with regulatory mandates such as Europe’s General Data Protection Regulation and the California Consumer Privacy Act.

“If a retailer is collecting data itself, it is important to have an expert in house who knows the regulations and best practices as they relate to data collection,” Hill says. “This is a quickly evolving area, and the integrity of the data must always be the priority.”

Regulatory compliance is never easy, so working with an outside team might keep your organization on the right path.

What Strategies Can Retailers Use to Protect Customer Information?

Beckner emphasizes that customer information is just one kind of data impacted by retail security breaches. Liabilities may be more pronounced with consumer data breaches, but ultimately all data needs to be protected.

The NRF, like many associations, has doubled down on efforts to keep its members safe, Beckner says, offering a security council (which he manages), as well as a risk-sharing mechanism that confers with government agencies such as the Small Business Administration and the Cybersecurity and Infrastructure Security Agency. These organizations are a resource for information on potential risks.

“If retailers are struggling with these issues, they should engage with associations like NRF or whomever their association may be,” he says. “This has been a pretty big investment area for us as a trade association.”

Plenty of technology solutions exist to limit access to data, such as firewalls and virtual private networks, but the customer-facing nature of retail naturally puts consumer data at risk. Beckner recommends including everyone in the cybersecurity conversation, both employees on the front lines and those at headquarters.

“It’s not just about the small security team within the company IT department,” he says. “It’s really about everybody.”

And while cyberattacks on retail often dominate the headlines, Beckner says, cybersecurity is a universal problem that will best be solved by collective efforts to improve security for all — even if other industries don’t have the direct exposure to consumer data that the retail field has. “This is something that affects pretty much every industry sector,” he says.

As organizations try to determine how to balance security and compliance concerns with business needs, working with a service provider such as CDW Amplified™ Security services might be an effective place to start.

anyaberkut/Getty Images