Written by Sean Ventura, Chief Information Security Officer. This article originally appeared in Retail Customer Experience.
As e-commerce expands rapidly and in-store checkout goes cardless, it’s never been easier to get the products you need as quickly as possible. The flip side: cybercriminals have an ever-growing trove of personal and financial information within their reach.
When it comes to data security, the relationship between customers and businesses is already on rocky ground. According to new research from First Data, only 11 percent of consumers trust retailers to properly manage a data breach. And well-known brands such as Under Armour, Saks/Lord & Taylor and Panera Bread have faced customer backlash around data breaches within the last year.
When it comes to data security, talk is cheap. The best method of building customer trust is to have a proactive plan in place, both to prevent data breaches and to quickly respond in the aftermath. If you haven’t already, it’s time to re-evaluate your IT policies and operations to ensure you’ve fixed any gaps in security.
Consider these tips for helping your company traverse data security — and come out a customer champion.
Adopt a zero-trust model
Chances are you remember the massive Target data breach in 2013. One of the more frightening aspects of the story: the hackers got into Target’s data through remote access provided to an HVAC company to monitor energy consumption. Cyberattacks can come from anywhere.
The challenge of protecting against unforeseen threats has increased through the last few years. As retailers become more reliant on technology to drive operations, it’s critical they understand the risks associated with outside vendors. Their security standards may not match your own; once they have access to your system, anyone who’s exploiting their system does as well. Similarly, it’s important for retailers to be aware of the dangers of “shadow IT” – employees operating unapproved software or applications on their business’ network.
The best policy is a “zero-trust” model: no software, applications or vendors access your network without IT’s explicit approval. That means IT needs to maintain a running log of all software and applications currently allowed on the network, comprehensively vet any vendors before selecting their technology, and keep an eye out for any security patches. Hackers will find new holes to exploit in software produced by even the most well-known brands, so “zero-trust” should remain the mantra for as long as the software, application or vendor accesses your network.
Implement a single point of control
Part of protecting your store against data breaches is reducing the number of access points a hacker has to sensitive information. In today’s connected enterprise, that’s easier said than done. Stores are employing POS systems and warehouse management systems (WMS), as well as IoT-enabled devices to collect data in-store and in the fulfillment center. Even solutions or devices that aren’t directly connected to customer data could expose sensitive information if not properly secured.
One solution: move critical operations to the cloud. The cloud is actively aiding retailers with this challenge by acting as a single point of control for multiple access points. It fills in the security gaps in your hardware and software so that, in the event a device is compromised, a cybercriminal is unable to access valuable customer data.
Cloud migration can be completed in-house or outsourced to a vendor; if you’re working with a vendor, talk with its IT team about security standards, and make sure their offerings are in line with your expectations. You’ll also want to ensure they have a plan in place to respond to any suspected breaches, and that they keep all security patches up to date. Approach your vendor with the same “zero-trust” model you would software and applications, and let them earn your trust through superior protection.
Know how to reach customers
Stepping up your IT security procedures can greatly reduce the risk of a breach, and can mitigate the effects in the event a cybercriminal were to successfully break in. However, if you are compromised, alerting the customer quickly is core to salvaging the relationship. GDPR in the European Union requires businesses to make breaches known within 72 hours; be aware of all the local regulations and laws for breach notification, and ensure that you have a breach plan in place so you can alert customers quicker, if possible.
Set up an alert system using your business’ customer information database to ensure you know who’s used a credit card or entered personal information into your system, and make sure you have their contact info ready to go. Even a simple email blast to your customer list, with information on how to check whether their information may have been compromised, can help make customers more aware and promote a sense of openness between retailer and consumer.
Preparation is key
If you haven’t considered where your network may be vulnerable, now’s the time to look at your operations and make adjustments. By locking down your systems as best as possible, adopting new technology and determining a plan of response in case of a breach, you can minimize the impact data breaches have on the customer relationship.