Retail Cybersecurity: How to Keep Consumers Secure

While there’s never a bad time to think about cybersecurity practices, the holiday season is the perfect time to think about how you can stay secure while you're shopping. The transformation seen in the retail sector has been dramatic, as almost every brick-and-mortar store has entered the e-commerce world with an online platform to keep customers connected and sales flowing.

It's no secret that e-commerce has grown tremendously in the last few years, and many shoppers are purchasing online regularly. Apart from that, in the wake of the COVID-19 pandemic, there has been tremendous growth in online shopping. It's expected that the U.S. economy will experience a further 13.7% growth by the end of 2021. This demonstrates just how robust e-commerce has become even as more in-store shopping has resumed over the past few months.

Although online shopping has constantly proven to be a blessing to society, retail cybersecurity is a consistently evolving challenge. Over the past year, we’ve seen attacks against major retailers like Best Buy, Garmin, Under Armour, Sears, and Macy's, to mention a few. As a shopper, you might wonder whether it's safe to shop with these retailers, right? Well, you’ve probably shopped at plenty of retail organizations that have been impacted by ransomware, given the frequency retail organizations are targeted. According to Sophos’ The State of Ransomware in Retail 2021 Report, 44% of the almost 500 retail organizations who participated in the survey stated they were hit by ransomware in the past year. 54% of those organizations hit by ransomware said the cybercriminals succeeded in encrypting their data in some way, and of those organizations hit, 32% paid the ransom to get their data back. The average ransom payment paid? Almost $150,000 USD.

Shopping online brings convenience to shoppers, but how can they stay protected? Retail companies have a great deal of data to create a personalized online shopping experience for their customers, so what steps do they need to take to ensure their customers are secure? And how can consumers know that companies are keeping them safe online? We've unpacked cybersecurity’s role in retail, as consumer data is becoming a retailers' competitive edge.  

Taylor Hersom, cybersecurity expert, Founder & CEO of Eden Data, and Ben Pivar, SVP & Chief Information Officer of Carter’s and member of our Atlanta and Retail Innovation Advisory Council, weighed in to provide their valuable perspective on the most important aspects of cybersecurity to keep in mind for the retail sector  and its customers.

How has e-commerce has accelerated in recent years?

Over the past few years, e-commerce has made remarkable strides worldwide. COVID-19 has played a significant role in this growth since most people have shopped online during the pandemic. According to Statista, an estimated $560 billion of sales are expected by the end of 2021. It's further estimated that the U.S. would reach up to $735 Billion by 2023.

Several factors have contributed to the growth of e-commerce over the past few years. For instance, people can now buy and sell things online conveniently and quickly using their smartphones. Financial companies have also transformed payment methods, making them secure and straightforward. Businesses can now integrate payment systems into mobile applications, making payments more accessible to their clients.

‍

‍

Data gathered by e-commerce businesses have also contributed to their growth. Nowadays, online retailers can track consumer preferences and store thousands of data points representing individual behavior. Retailers then leverage this information to create a further personalized experience for their customers.

Finally, improved consumer experiences have made a significant impact on the growth of e-commerce. Consumers can shop through these personalized approaches that command high customer engagement. With artificial intelligence in online shopping, businesses can predict shopping patterns based on when and what products meet customers’ preferences or those with similar patterns.

How do online businesses collect and utilize their consumers' data?

Customer data has become a vital aspect of the growth of online retail. Businesses are increasingly using data to improve their ability to sell by carefully analyzing their customers' data. How retailers use this data and ensuring that customers know what type of data is being collected is a hot topic.

For instance, if you've searched for a product and left that site or browser, you'll probably find that product the next time you visit the site. Well, this happens a lot.  

Online retailers are using consumer data to fine-tune their understanding of what their customers are looking for, the price of their most preferred products, and how they will market them to you.

Let’s explore a few types of consumer data that matter to retailers:

Consumer Identity Data:

Retailers are individualizing experiences and collecting one of the more foundational pieces of customer data, identity data. These data points include attributes like a person’s name, gender, contact information, social media profiles, addresses, age, phone numbers, credit card numbers, and social security numbers. Often this data is what’s called personally identifiable information or (PII). Most organizations categorize PII data into three categories: public data, private data, and restricted data. Data in the public domain would fall into the public data realm, while information like social security numbers would be highly sensitive and need to have the highest level of security controls.  

Consumer Descriptive Data:

Descriptive data builds on identity data and goes more in-depth by tracking purchase patterns, website visits, email opens, and usage rates to help establish who consumers are. For retailers, this is relatively simple to collect through a point-of-sale platform. Descriptive data allows retailers to track market share and help with building customer personas, which help marketers perfect products for their consumers.  

Consumer Behavioral Data:

Behavioral data brings identity and descriptive data together to reflect on consumer actions and identify what consumers do. Google Analytics is one of the well-known platforms for gathering behavioral data, as it provides valuable information on how they go through a website by tracking things like acquisition, pages visited, how long they stay, and many other data points.

‍

‍

Consumer Qualitative Data:

This last type of data, qualitative data, is essential for creating a whole picture of consumer data as it represents what consumers think. This includes customer ratings and feedback that not only can help brands from a marketing perspective (if it’s good at least), but also allows development teams to adjust products or services to what consumers really want. There’s a reason updated models of products come out so often—what consumers want and need changes all the time; qualitative data helps figure what those are. In order to have credible qualitative data, though, retailers need to be sure they aren’t asking too much or too often, as this could lead to low-quality responses.  
‍

Examples of data used in your daily life
‍

Data from the grocery store  

Let's say you have an Amazon Prime account and shop at Whole Foods. Once you checkout and link your Prime account to get Prime deals on your groceries, Amazon now has a look into your family's diet. They'll know you like cereal in the mornings, salads at lunch, and tacos every Tuesday. This may sound intrusive, but it can be highly convenient as you order groceries online, as Amazon will be able to know precisely what you want so you can add to your cart seamlessly.  

Data from your home  

Do you have a Ring doorbell or security system that links to your phone? Any integrations that include your smartphone give companies access to a great deal of your data. Especially something like a Ring doorbell, this device is recording everything about your home 24/7. This has been an incredible security system keeping millions safe every day, but 24/7 surveillance contains an enormous amount of sensitive data. You may be able to hide your online shopping splurges from your significant other, but not from Ring.  

‍

‍

Data from your devices (social media and consumer data)

You're looking up a fun winter vacation spot, and now all of your social media ads are about ski gear. While third-party cookies aren't as accessible as they once were, the sharing of data between what you're searching for and applications like Instagram is still happening all the time. Instagram especially is evolving into an e-commerce platform—a long road from a simple photo-sharing app. One minute you can be buying new ski poles, and the next, you'll be watching a Reel of puppies (because Instagram knows you just got one).  

Data From tech wearables  

Your Apple Watch or Fitbit is doing a ton of behind-the-scenes work while you're working out. With the popularity of tech wearables, Biometrics has become an easy way for retailers to enter the healthcare arena and vice versa. Amazon and Apple have quickly become significant players in the healthcare space, pushing innovation for the patient experience with convenience and accessibility. The Apple Watch is taking things to even higher heights with EKG monitoring, blood pressure, knowing if you fall off your bike- all of which contains endless personal data about users.

Online Retail Cybersecurity Threats

Online retail has remained to be one of the biggest targets for cybersecurity threats. The more people continue shopping online, the more hackers have become interested in consumers' data. Personal data is a valuable asset, and with the continued growth in the online retail industry, it is clear why there's a surge in hacking.

As explained above, customers have to provide a lot of personal data when shopping online. This means that they entrust crucial information like email address, credit card information, password, and username to these companies. Cybercriminals can steal this information from online retail databases and make money from it, which can quickly ruin a business's reputation. So, which are the biggest cybersecurity threats to online businesses? Here is a breakdown of common cyber threats you should know about.

"Consumers should be extremely vigilant about phishing and spoofing emails. Bad actors are targeting them with spoofed offers from what look to be well-known companies. Please take the time to look at the actual email address and make sure you don't click links, give information on phone calls or texts to any bad actors." – Ben Pivar, SVP & Chief Information Officer of Carter’s

Phishing Attacks

Phishing is a type of fraud aimed at accessing buyers' details like logins, bank card details, and passwords. Hackers often use mass mailing and links to fake online stores that look real to collect consumers' data and steal from them fraudulently.

‍

‍

Malware

"Malware" is a short term for malicious software. Examples of malware that hackers can use in your online retail stores include worms, viruses, spyware, adware, and Trojan viruses, and ransomware. Cybercriminals are using malware by infecting computers and mobile devices. They can use the malware to collect personal passwords, steal money, and even block consumers' devices.

Ransomware

Ransomware has quickly become a cybersecurity threat to many online shoppers. Hackers use a specific type of malware to lock devices from their users. Therefore, device owners must buy passwords from hackers to access their devices. Hackers can inject ransomware into your device through pop-ups, fake sites, and phishing emails.

Distribution Denial of Service Attacks (DDoS)

Cybercriminals use DDoS by sending several requests from several compromised I.P.s to destroy your web resources. When your online store floods with a large amount of traffic, your customers will not purchase. As a result, your customers cannot make any purchases which could make you lose them.

How do retailers protect consumers from cybersecurity threats?

Secure online shopping is a mutual responsibility for both the consumers and the service provider. Here are a few tips that can help you secure your customers' data as a business.

Know What Data You Need

Some businesses collect data they don't need, mainly relying on software that automatically collects information. However, a company should only select the information they need and handle it to avoid having a lot of information prone to cybercriminals.

"Retailers should treat PCI and PII data with utmost caution. PCI data should be segmented in the network, so that customer's PCI data is sent directly, using encryption to payment providers and without hitting the retailer's network." – Ben Pivar, SVP & Chief Information Officer of Carter’s

Ensure that there's someone in-charge

Your organization needs a team that is responsible for collecting, storing, and securing consumers' information. Otherwise, you won't have anyone to pay attention to any forms of threats against the data that you collect and hold accountable.

You can start by using a security awareness training program to educate your employees about data security. A security awareness program has two major initiatives you should consider. 

First, create a team of executive management support and initiative leaders. This team will ensure that your data security financing is well utilized and that data security remains a top priority for your business. 

Second, your team should create a strategic plan for an online security program. Your plan should outline short and long-term goals that create a qualitative measurement of your data security goals. 

‍

‍

Protect the data you collect

Proper data security measures involve determining who should access your data and sufficiently securing your company's website, databases, and networks. Businesses should also use encryption standards relevant to the storage and transmission of sensitive data.

"Retailers should work to protect from internal bad actors by carefully managing privileged access so that only specific employees have access to secure data. Setting up multifactor password management is also important to protecting assets." Ben Pivar, SVP & Chief Information Officer of Carter’s

Utilize strong authentication processes

Employees with access to consumer data should create complex passwords that hackers cannot break. Otherwise, you might be hacked if you use weak passwords or use the same password for numerous accounts.

Multi-factor authentication stands to be the best means to protect your consumers' data. Multi-factor authentication requires a user to present two or more pieces of evidence to gain evidence and access a login account. Examples of evidence a consumer should present include email address, phone number, and security questions.   

Although multi-factor authentication can use several authentication factors to validate a user's identity, two-factor authentication is most commonly used. A multiple-factor authentication process can be triggered if some form of suspicious user behavior is detected. 

Provide a clear privacy policy

Your privacy policy should clearly outline your business practices. A well-outlined policy serves as a robust legal agreement that protects your business in case of a security breach. Since many consumers don't read the privacy policy, you should provide reminders on how your business will manage their information at crucial moments, like giving personal data.

Stay-up-to-date

As a business, invest in current security software, web browsers, and operating systems to defend yourself from hackers. Outdated programs are easy to infiltrate, so regular updating strengthens their defense against viruses and malware.

How consumers can protect themselves from cybersecurity threats

Consumers also have the responsibility to avoid cyber danger while shopping online. There are several warning signs to determine whether a website is safe or not. Keep an eye out for the following:

• The site appears to be poorly designed and unprofessional 
• There's no contact information listed 
• There are unclear return policies 
• Links are broken or disabled 
• The site asks for credit information without reasonable reasons related to your purchase 

"Manage and protect your passwords! Too many consumers use the same passwords across multiple accounts. Worse, they often use simple passwords that any bad actor could figure out by looking at social media posts. I suggest a good password manager solution that recommends complex passwords and for consumers leverage multifactor identification on websites to protect themselves." - Ben Pivar, SVP & Chief Information Officer of Carter’s

Secure your devices 

Ensure that all your electronic devices have antiviruses running on their software and apps. You should also ensure that the antiviruses are updated to maintain optimal security.   

Consider skipping the debit card 

Using a credit card is more secure than a debit card since there's more consumer protection. Apart from that, debit cards are directly linked to your bank account, putting you at risk of more severe damage. 

Use secure Wi-Fi 

Always use secure Wi-Fi when making online purchases. Avoid public networks to login into payment sites like PayPal or your bank account. Hackers might be able to access your personal information from public networks since they are usually insecure. 

‍

‍

Look for encryption 

To guarantee added safety, ensure that your online shop website has encryption. Look out for a closed padlock or a URL that starts with "HTTPS" to confirm whether a site is secure. By confirming these two elements, you will guarantee that your information is safe and secure. 

Retail cybersecurity tips from experts at Eden Data

A message from cybersecurity experts at Eden Data:  

We live in a data-driven world, and no time of year is driven by more data than the holidays. Thanks to our good ol' pal Kris Kringle promising trendy treasures to every family member, friend, colleague, and dog on the nice list, sensitive data is shared more frequently than Santa stops on Christmas Eve. But just like we've all watched in Home Alone (and, let's be honest, will watch again at least once this year)- criminals love to prey during the holidays in places they think won't be safeguarded. Which brings me to the newest era of shopping and the topic of our security awareness... shopping through social media ads. By simply paying to advertise on social, scammers can attract unsuspecting customers and bypass verification measures inherently built into other platforms like Google's search engine. So how can all of you little Kevins stay vigilant against crime this holiday season? Here are some booby-traps scammers often fall into:

• Before proceeding with an order through an ad, externally search for the company through a search engine and read through consumer reviews across multiple platforms
• Check the website for spelling and blatant grammatical errors, which are common, particularly with foreign scam sites. Be cognizant of broken links and poor quality imaging, as those should set off security alarms
• Leverage wise advisors. A multitude of sites, including scamadviser.com, exist to help consumers vet the trustworthiness of online retailers
• If the business does not list a contact address in the footer, run for the digital hills
• Be wary of sites that don't allow the use of secure payment methods like PayPal
  

The holidays are stressful. Don't let the safety of your data add to it (... that's what in-laws are for). Safe shopping, ya filthy animals!

Security isn’t going anywhere

Cybersecurity is one of the most discussed topics across our Innovation Advisory Councils and Roundtable Sessions. As data becomes more and more valuable, so does the threat landscape businesses face in protecting their data. Interested in what tomorrow’s cybersecurity landscape looks like and what early-stage technologies are changing the game? Get in touch today.