Data breaches are some of the biggest lumps of coal any retailer can get during the holiday season.
The impacts are myriad and wide reaching: potential loss of financial data, company secrets, and perhaps most damaging of all, a loss of consumer trust.
Two recent shopper surveys brought this last point into sharp focus. According to a joint Vormetric Security/Wakefield Research report, 84% of Americans would change their shopping habits if their favorite store were hit by a data breach. Let that sink in a bit: most shoppers will physically take their business elsewhere, even steer away from a well-loved store, following knowledge of a breach.
On a more detailed level, the survey found that Americans would shop somewhere else after a data breach at a regularly visited retailer if:
- Money was taken from their checking account (67%)
- Unauthorized charges appeared on their credit card (62%)
- Personal information were leaked (57%)
- Their credit score was damaged (54%)
“The revelation of a major data breach following the Black Friday weekend in 2013 was the starting point for two record years of data breaches that have followed,” Vormetric’s Tina Stewart says. “Events since then have demonstrated just how much financial and reputational havoc a data breach incident can wreak on beloved brands.”
Data Breaches on the Brain
In a separate Gemalto/Vanson Bourne survey of shoppers in seven countries, 49% of respondents said they would be unlikely to continue doing business with a retailer if a data breach compromised personal information. That figure increased to 64% if shoppers’ financial information was stolen because of a data breach.
A deeper read of the Gemalto/Vanson Bourne report reveals more troubling statistics. Only a quarter of the shoppers surveyed felt that their favorite stores take data protection and security seriously. With 31% of shoppers saying they have been affected by a data breach, that lack of trust is not surprising.
“The emotional impact of data breaches has also created apprehensive feelings towards businesses, with nearly one fifth (19%) feeling they are likely to be a victim of one within twelve months to three years,” The report authors write.
It’s Up to The Vendor
So what’s a vendor to do? If shoppers are asked, the refrain will undoubtedly be: do something to protect against data breaches! As the Gemalto survey found, 69% percent of consumers feel that the responsibility for protecting customer data lies with the company – as it should!
However, the retail edition of Vormetric’s 2015 Insider Threat Report suggests that many retailers simply are not up to this task. According to the survey of 102 IT professionals working for enterprise retailers, 48% reported their company had experienced a data breach or failed a compliance audit in the last year. What’s more, half of U.S. retailers specifically reported being “very” or “extremely” vulnerable to data breaches.
This weakness also became clear from retailer security spending trends detailed in Vormetric’s report. Preventing a data breach was the top driver for security spending for 63% of retailers in 2015, up from a top driver for only 21% of those surveyed two years ago.
Perhaps even more troubling: retailers reported spending similar amounts of money across different categories of security protection, such as network defenses, analysis of correlation tools, and end point and mobile defenses. This suggests, as the Vormetric report authors write, that “organizations are not identifying and investing in the solutions that are most effective at solving the problem.”
The Human Element
Though Vormetric’s larger 2015 Insider Threat Report found that 89% of companies felt at least somewhat vulnerable to insider attacks, no ink was spent on discussing the value of comprehensive security awareness programs for employees. Focus was instead put on what purely technical solutions are serving, and too often failing, to protect against data breaches.
In the list of the most effective security measures survey respondents listed, employee education was nowhere to be found. This omission could be due to failure to ask the right questions on the part of the survey takers. But, even the lack of employee education programs as a talking point speaks to an important necessity: industry needs to spend more time talking about the human element.
Vormetric CSO Sol Cates has the right idea:
“The time has come for retailers—and indeed all organizations—to embrace a data-centric mindset and change their approach to how their data is protected,” Cates says in the press release announcing the Insider Threat Report.
But we must also remember that implementing the purely technical solutions is not enough. When we’re talking retail, “every member of the team” goes well beyond IT to include everyone who handles sensitive data, such as payment card information, in any way.
It’s not enough for IT to have a data-centric mindset. You’ve got to get all employees rallied around the role they play in ensuring security, and that means creating a risk-aware culture through effective and persuasive communication about the risks and the behaviors that can lead to data breaches.