Cybersecurity is new source of ‘competitive advantage’ for retailers

Cybersecurity is a new source of competitive advantage for retailers.

That’s according to a report by Capgemini‘s Digital Transformation Institute, which has called for more organisations to align cybersecurity policies with customer expectations to take advantage of this opportunity.

The report, Cybersecurity: The New Source of Competitive Advantage for Retailers demonstrates that consumers are increasingly aware of security breaches in retail and are willing to spend more with retailers who demonstrate robust cybersecurity capabilities. Based on average annual consumer spending, this equates to a potential annual revenue uplift of 5.4%.

The new report, which surveyed more than 6,000 consumers and 200 retail executives, found that 77% of consumers ranked cybersecurity as the third most important factor when selecting retailers, behind product availability and quality and above traditional factors including pricing and brand reputation.

Strong cybersecurity measures increase customer satisfaction by 13% while 40% of consumers would be willing to increase their online spend by at least 20% more with retailers they trust. The report revealed that retailers who can adopt advanced cybersecurity measures could drive a 5.4% uplift in annual revenue.

However, the report identified a disconnect between the assurances consumers want and what retailers are doing. A total of 70% of consumers want to be assured that their financial and personal information is safe yet only 44% of retailers are actively informing them.

Retailers are also not adequately informing their customers of data breaches. A total of 40% of retailers said they experienced a data breach over the past three years (2015 to 2017 inclusive) and had customer financial or personal data compromised, yet only 21% of consumers say that they heard their primary retailer’s name mentioned with a data breach.

“Cybersecurity represents a lucrative opportunity for retailers to improve customer satisfaction and drive higher online spending,” said Tim Bridges, Global Sector Lead, Consumer Products, Retail and Distribution at Capgemini. “Only retailers who are able to effectively align their cybersecurity measures with customer expectations will be able to impact top-line revenue.”

What do other industry experts say?

Hans Nipshagen, Regional Sales Leader Web and Security Middle East, Africa and Eastern Europe, Akamai Technologies

With the increased frequency and visibility of data breaches, the impact of an attack for any online business is much more than the loss of revenue through site downtime or even the fines from lost customer data – it’s really all about the long-term impact to their brand. In the online world of today trust is the new currency for businesses.

Especially in retail, security can’t be ignored – it is among the most attacked verticals Akamai sees. In the first week of July 2018 alone the Akamai Intelligent Platform witnessed 29.767.361 attacks on retail companies, more than four million attacks per day. 21.767.356 of these attacks were SQL injection attacks. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable and become administrators of the database server.

To gain and maintain the trust of their customers, an online retailer needs to identify security risks and threats and protect their products and services from vulnerabilities and threats in real-time, without compromising on the user experience. In my view online retailers should use security more as a business driver.

Data privacy initiatives like GDPR in the EU and the numerous headlines about website data breaches makes consumers warier about their digital entity.

Customers therefore use trust as decision criteria in their buying process. A retailer with strong cybersecurity measures and clear security and privacy messaging will therefore have a competitive advantage.

Laurance Dine, Managing Principal, Investigative Response at Verizon

Retailers are under constant pressure from cybercriminals that know that there are rich pickings to be made by stealing customer data and payment card information. Perhaps unsurprisingly, Verizon’s 2018 Data Breach Investigations Report found that payment card skimmers were one of the biggest cyberthreats that retailers face – alongside denial of service and web app attacks that target e-commerce sites.

Customers have a right to expect that the retailers they shop with are doing everything in their power to protect them from these threats and those that fall short risk damaging consumer trust and brand loyalty. This doesn’t require a huge shift in mindset for retailers, as the industry has long understood the need for loss prevention – so it’s a matter of expanding these measures beyond cameras and security guards to employing better cybersecurity practices.

Given the potential rewards that can be gained from hacking e-commerce applications and websites, these should be one of the core assets that retailers are protecting. To ensure a reliable 24/7 service for shoppers, retailers should have mitigation systems in place that can protect their websites from DDoS attacks.

It’s also crucial to take all available precautions to secure customer data. These can include using mobile device management to restrict employee access to sensitive information; encrypting data so it’s useless in the event of a successful breach and basic hygiene such as ensuring software patches are fully up-to-date to protect against viruses.

Lastly, retailers need to put in place processes to stop POS terminals from being tampered with to minimise the chance of card details being stolen at the point of purchase – just simple physical steps such as checking card readers daily for visual changes such as new peripherals or cables can go a long way to reducing incidents.

Ultimately, consumer trust will always be damaged by a cyberbreach of any kind. Added to this, there’s a risk of regulatory fines and lost business from customers turning their backs on retailers they no longer trust. As such, retailers should be doing all they can to defend against cyberattacks to minimise the risk to their business.”

Kevin Bocek, Chief Cyber Security Officer, Venafi

Retailers need to do much more to bring their defences in line with customer expectation. Yet in theory, this should be reasonably straightforward. After all, customer’s security expectations aren’t particularly complicated; we as consumers simply expect that our personal details are secure.

This means deploying encryption to protect all data in transit – in particular sensitive information such as our address or card details. This is a core expectation under PCI DSS and it’s so important that for the last three years the PCI SSC has spent significant energy on making sure old TLS and SSL encryption protocols are not in use.

But hackers are increasingly hijacking encryption in order to hide their attacks. In 2016 more than 40% of attacks against retailers came through encrypted traffic. Gartner expects 70% of attacks in 2020 to come over encrypted traffic. Retailers cannot simply assume that because traffic has been encrypted, that it is therefore secure.

Using the same encrypted tunnels that customers, mobile apps and APIs use, they can travel around largely undetected while appearing trusted. A retailer might have spent a fortune on expensive intrusion detection, anti-virus and firewalls but without any ability to look at the encrypted traffic flying across the retailer’s network, these defences are rendered useless.

Put simply, retailers cannot rest on their laurels: just using a valid encryption protocol and having the required security controls mandated by PCI is not enough. They all need to work together correctly. Encryption is most likely the hardest and poorly understood part of cybersecurity. If it’s not used properly, or if the WAF, NGFW, IPS, DDoS security controls are not enabled with the machine identities – specifically TLS keys and certificates – to decrypt and inspect all traffic, then retailers have wasted large amounts of their investment and it’s no wonder attacks can still be successful.

Today getting keys and certificates to all of these security controls is confusing, complicated, and time consuming. Huge breaches like the one at Equifax can still exploit  simple vulnerabilities if they hide in encrypted traffic where security controls like WAF and NGFWs can’t do their job.

The answer for retailers is to automate the process of managing the machine identities – like TLS keys and certificates – that create and enable encryption. This goes beyond simply keeping a record of each machine identity, it calls for establishing controls over all keys and certificates and being able to feed them to all security controls to look for cybercriminals hiding in encrypted traffic.

Without this, DDoS attacks, web application exploits and other network attacks will still be successful. Only once retailers have this capability can they truly protect their customer’s payment information – and until then, they will not be meeting customer expectations.