Study: Majority of retailers feel ‘vulnerable’ to a data breach
While the number of cyber-attacks have declined in the last year, a majority of companies still feel susceptible to data threats.
This was according to the “2017 Thales Data Threat Report, Retail Edition,” from Thales e-Security and analyst firm 451 Research. The study is based on responses from more than 1100 senior security executives, including in the retail segment, from across the globe.
According to data, 52% of companies experienced a data breach in the past, and 88% fear they are vulnerable to a cyber-attack. Meanwhile, 19% stated they are “very” or “extremely” vulnerable.
On a positive note, U.S. retail data breaches in the past year dropped from 22% in the 2016 survey to 19% this year. This number is lower than any other U.S. vertical polled for the 2017 report, including healthcare (20%), financial services (24%) and the U.S. federal government (34%).
However, U.S. retailers may be failing to learn from past mistakes. More than half (11%) of the 19% that were breached this year had also experienced a breach previously. When looking at global retail, a staggering 43% of global retail respondents reported a breach in the past year alone, approaching twice the global average, the study reported.
“These distressing breach rates serve as stark proof that data on any system can be attacked and compromised,” said Garrett Bekker, principal analyst for information security at 451 Research. “Unfortunately, organizations keep spending on the same security solutions that worked for them in the past, but aren’t necessarily the most effective at stopping modern breaches.”
Seventy seven percent (77%) of U.S. retail organizations are increasing IT security spending, but are not concentrating spending where it will make the most difference. For example, 88% of respondents selected network security as “very” or “extremely” effective at protecting data from breaches — even as network security fails to keep out attackers and is unable to protect data that is increasingly stored in the cloud.
Spending patterns also indicate a focus on what has worked in the past with the planned spending increases on network (67%) and endpoint (63%) protection. Data-at-rest approaches, which have proven to be effective at protecting the data itself, came in second from last (49%) in terms of retailer security spending priorities.
According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (such as cloud, big data, IoT and containers) this year. However, 53% of respondents believe that sensitive data use is happening in these environments without proper security in place.
“It’s encouraging that yearly retail data breach rates have finally started to drop, but rates are still quite high,” said Peter Galvin, VP of strategy, Thales e-Security. “With tremendous sets of detailed customer behavior and personal information in their custody, retailers are a prime target for hackers so should look to invest more in data-centric protection. And as retailers dive head first into new technologies, data security must be a top priority as they continue to pursue their digital transformation.”
To make this transition, organizations are encouraged to:
• deploy security tool sets that offer services-based deployments, platforms and automation;
• discover and classify the location of sensitive data within cloud, SaaS, big data, IoT and container environments; and
• leverage encryption and Bring Your Own Key (BYOK) technologies for all advanced technologies.
The Rush to Deploy the Latest In-Store Technology is Compromising IT Security
Digital transformation is accelerating the pace of change within the store environment. Retailers are under pressure to move quickly to implement the latest in-store capabilities to help separate themselves from the competition and provide a reason for repeat trips to the store. These retailers are blurring the physical and digital worlds to drive deeper customer engagement, loyalty, and emotional connections with a brand.
In practice, this translates to an avalanche of new technology and data analytics tools sweeping into retail outlets large and small. Self-checkout kiosks and mobile point-of-sale devices promise to enhance convenience for customers. In-store Wi-Fi, dressing room tablets, RFID, and augmented reality capabilities aim to enhance engagement and customer service capabilities.
Connected devices that monitor heating and cooling, on-shelf inventory, and interactive digital signage are transforming operations and optimizing the way stores are managed. To the customer, these changes and technology implementations should appear seamless. But to the retailer, adopting these capabilities creates many challenges and represents a radically different way of doing business within the store environment.
The Risk Behind the Reward
Retail is prime for fresh ideas and new approaches; the technologies being introduced in brick-and-mortar locations really do help to elevate the customer experience and create an incentive for shopping offline and driving purchase intent.
At the same time, these new technologies and endpoints in retail environments — mobile devices, SaaS applications, kiosks, IoT, mobile point of sale, and Wi-Fi — offer an expanded attack surface for bad actors to exploit. And, alarmingly, many store networks rely on outdated on-premise hardware models that introduce single points of failure and open the door to vulnerabilities, malware attacks, breaches, and just about every threat the digital age presents.
Omnichannel retail has created complex security architecture for retailers to manage and maintain on their own, leaving traditional defenses outdated and ineffective. This is exacerbated by the fact that many new technologies, particularly IoT devices, have not been designed with security in mind. As a result, many new in-store technologies have increased complexity for IT teams to manage and unruly security environments to tame and control.
Consumer-driven technologies and rising expectations will only continue to accelerate change, forcing retailers to rethink long-term security strategies, adopt agile network security architectures, and replace legacy patchwork solutions that heighten risk. According to The State of Network Security report for 2016-2017 from Forrester, 40% of enterprises are upgrading or planning to implement next-gen firewalls within the next 12 months.
Investing in adaptive security architecture, such as cloud-based firewalls, helps retailers keep pace with the rate of change in the evolving retail landscape. Otherwise, legacy defenses may work against you, creating an environment ripe for compromise.
Bolstering Digital Defenses
Considering how much variety exists in physical retail environments and how many new technologies and endpoints have come into play, there is not a one-size-fits-all approach to security. However, there are specific strategies and considerations that all retailers should focus on as they strive to turn current vulnerabilities into strengths:
1. Be mindful of segmentation. Today’s retail environments are full of dozens of new endpoints, and many are vulnerable to malware infections and exploits that can bring down the entire retail network if not segmented properly. The risk is even greater when seasonal and contract employees are added to the mix — remember that threats arise both internally and externally.
Protecting the retail environment begins with retailers securing access methods to the internet from the physical store, especially for IoT devices and guest Wi-Fi systems. They must also properly segment the IoT subnet from employee, POS, and guest Wi-Fi subnets — with separate policies for the internet — while ensuring that in-store devices have restricted communications with only whitelisted IP addresses. This year, 85% of enterprises plan to introduce IoT devices, but only 10% feel confident in their ability to secure them. Make sure you fall into that minority.
2. Cut down on operational complexity. Moving from on-premises hardware models to the cloud reduces management complexity, especially for retailers that operate large store networks but have strained IT resources and limited budgets. With cloud-based firewalls, updating and refining security policies for the various store subnets across the retail network is streamlined, resulting in simplified and more robust security architectures.
The days of retailers managing and patching anti-malware on individual endpoints across the retail network are over. The time cost is too great, and the risk introduced by a single unpatched endpoint is too high. According to Forrester’s Top Cybersecurity Threats In 2017 report, software vulnerabilities accounted for 42% of external intrusion attack methods in 2016.
3. Don’t stop at PCI compliance. While PCI compliance is a critical part of a retailer’s security strategy, it’s a little like making sure a lock is on the front door, but not guaranteeing the door stays bolted shut. Cybercriminals are constantly uncovering new entry points and vulnerabilities to invade your store network outside of the cardholder data environment, with the aim of stealing sensitive company and customer data.
It’s vital for retailers to focus not only on the prevention of cyberattacks within the retail environment, but also on the detection of suspicious and malicious activity. Retailers should implement supplementary security measures beyond PCI compliance to build layers of defense. Next-gen firewalls that offer intrusion protection and detection, web content filtering, and sandboxing enable retailers to do just that.
4. Prioritize threat intelligence. Because retailers cannot prevent all attacks, leveraging actionable threat intelligence is imperative to alert retailers when devices and network assets have been compromised and are communicating with unapproved or malicious IP addresses, which could be C2 servers and their botnets. Threat intelligence analyzes for suspicious network communications and alerts to policy violations and vulnerabilities.
Gartner predicts that by 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.* What’s more, Gartner also predicts that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 30% in 2016. The implications for retailers are clear — the time to act and invest in threat intelligence defenses is now.
Innovative technologies help retailers differentiate the customer experience and bring the best of online digital engagement into the store environment. Retailers can build robust layers of defense with adaptive security architectures to better prevent and detect threats or exploits. And within a rapidly evolving omnichannel threatscape, that’s a priority everyone can agree on.
Susan McReynolds is retail strategy manager for Level 3 Communications, where she works with customers, analysts, and industry leaders to keep a pulse on the IT trends and challenges facing today’s omnichannel retailers. Before joining Level 3, Susan worked with leading national and global athletic brands to develop custom visual merchandising programs.
Lifeway’s merchandising gets a new plan
Lifeway Christian Stores’ shoppers’ needs differ from store-to-store — a factor that pushed the chain to revamp its merchandising processes.
For the specialty retailer, this has meant pursuing macro- and micro-localization strategies. From the macro level, the company still wanted to manage assortments that deliver a consistent brand experience – not only in terms of the products offered, but also in how they are stocked and presented.
However, as customers’ expectations continue to change, Lifeway knows it is paramount to cater to local tastes and preferences.
“No longer can universal assortments or even cluster-level assortments alone satisfy all of a local store’s customers,” said Bill Crayton, the retailer’s VP merchandising. “Micro-localization enables those at the store level who know their customers the best to influence the product assortment and presentation.”
However, an aging, customized merchandising system couldn't support this endeavor. The 12-year-old system managed several million store/SKU combinations — and mostly through manual and spreadsheet-based processes. Meanwhile, order quantities were predetermined based on static stock levels rather than dynamic sales trends — practices that limited ability to meet unique store-level assortment needs.
Lifeway was in need of a modern solution that could provide a ‘single version-of-the-truth’ across the enterprise, driven by calculated store-level sales data. It also wanted a solution that could allocate and replenish merchandise based on sales trends at individual stores.
“We didn't want manual intervention,” Crayton said. “We wanted a forward-looking forecasting process that was easy to use and had all the science built-in.”
The specialty retailer added a software-as-a-service merchandising solution from Relex that centralizes planning process and supports localized store-level intelligence. All users now view information from a store/SKU level, and have visibility to actual and forecasted sales, available inventory and merchandise allocated to pending orders. It also allows the retailer to set or adjust merchandising and inventory allocation parameters on a store-by-store basis.
“The solution also includes all e-commerce sales, inventory, and orders,” Crayton explained. “By integrating e-commerce performance into the solution, we are able to manage stores and online buying through one team, not two.”
Lifeway went live with a large selection of products by August 2016, and began rolling out the solution chainwide “as we entered the holiday season last year,” he added. “We didn’t have any major issues, and everything actually worked very well.”
First, Lifeway focused on macro-localization by centralizing assortment plans, clustering stores together and varying assortments within store groups. Dynamic store replenishment levels and parameters were set along with store-level forecasts and order points. A forward-looking demand forecast can also be shared with the company’s publishing arm and external vendors.
To embark on micro-localization, the solution infuses store-specific intelligence into the process, including assortment-specific requests, significant sales trends and special event awareness. For example, the solution helps store managers to promote local authors, which tend to sell well in their areas. Additionally, stores frequently host events that may require a one-time increase in inventory in specific items relevant to an event.
Further leveraging the solution, Lifeway is adding a mobile application that enables store managers and associates to engage with merchandising plans. Using store-specific customer behavior data, managers can add merchandise to their store’s assortment plan, and adjust their store’s minimum presentation stock. The mobile solution will increase the communication and collaboration between the centralized planning and store teams, and ensure that each store’s customers are better served and important in-stocks are maintained, according to the retailer.
Since adding the solution, Lifeway is better managing store-level inventory and assortments, “which has allowed us to improve inventory turnover, lower clearance inventory, manage markdowns and see margin increases,” Crayton said. “The solution eliminated past manual work and streamlined the ordering process.”
Lifeway is also planning to apply the solution to its promotion planning and forecasting processes. “We are working with Relex to leverage their forecasting solution to improve our promotion planning and ensure we have the products where they need to be when customers are ready to buy,” he added.