I have just spent a couple of days with the top retailers in APAC, talking about digitalization and the risks this transformation presents to retailers globally. There is a shared concern among industry leaders that 2017 could see another tipping point in e-commerce, as traditional retailers are increasingly moving to digital/online based business models and the leading online players continue pursuing ambitious growth agendas.
This comes as consumer behaviour is changing- seemingly no one wants to shop in a store anymore. According to Deloitte, 58% of consumers have used their phone or their PC to shop and 38% do it at least once a week. And, in the surest sign that digital sales in retail will probably only accelerate: Deloitte found that younger generations, especially 25-to 34-year-olds, are more engaged with their phones for shopping, with 85% using their devices for website browsing and 76% using them to pay for products.
As digital businesses continue to grow, the push for online channels means that retailers have something new to worry about: digital risk. Considering that 53% of retail fraud in the U.K. is cyber-enabled, combined with the growing unease on behalf of customers that retailers are incapable of keeping their personal data safe, it’s no wonder that cybersecurity risks have become a priority for retail businesses. As the recent Wonga breach demonstrates, the frequency, breadth and severity of cyber attacks on retail and financial sectors is increasing.
Traditional Retail Slumps while Online Sales Surge
Old-school U.S. retail giants that still rely on in-store sales continue to fall. This year started with Sears announcing it would close more than 100 Kmart stores and 41 of its namesake outlets. Not long after, JC Penney moved to shutter 140 stores, and Macy’s targeted 34 stores for closure after already committing to close 68 others.
The same holds true in the U.K.: the brick and mortar goliaths are struggling. Next shares fell after a 2016 holiday sales slump and gloomy 2017 forecast numbers, and although M&S surprised many with robust holiday clothing sales, even its new CEO acknowledged the retailer has “lots more to do” to stay healthy.
Meanwhile, digital retailers are rapidly growing. Granted, Amazon takes the lion’s share of sales for retailers that are primarily digital – a whopping 46% in 2016 – but many other digital-focused retailers continue to grow by leaps and bounds. U.K. online retailer Asos, for example, saw gains in all of its key markets in 2016, while U.S. pet food retailer Chewy.com continues to lap up the competition.
Not All Retailers Have Adapted to Digital Risk
Because it holds such a treasure trove of valuable customer information, retail faces more cyberattacks than any other industry. But even though the results of a breach can be devastating, as exemplified by Home Depot paying customers a $19.5 million settlement for its 2014 credit card breach, many retailers still struggle to follow basic cybersecurity steps.
Even the biggest U.S. retailers – including Apple, Gap, WalMart, Home Depot and Target – have many issues with cybersecurity.
CyberInt analysis shows that even the biggest retailers are not keeping up with the growing need for a comprehensive cybersecurity strategy. We ran a scan of top 500 websites on Alexa and discovered that more than 50% of these high-traffic websites (including many prominent online retailers) are spoofable. In addition, many of top ranking websites were highly vulnerable to subdomain takeover. This is a serious attack vector whereby hackers take advantage of a wide-spread DNS misconfiguration to take full control over a company’s subdomains. This attack is practically non-traceable, and according to our analysis it affects at least 200 NASDAQ-listed, top 100 Alexa rank domains.
Retailers must take the following steps to enhance cybersecurity if they want to take advantage of digital channels:
- Invest in a high quality and secure domain provider
- Establish strong password policies for employees
- Regularly update software
- Patch vulnerabilities on an ongoing basis
- Segment networks to separate corporate, support, store and payment environments.
- Pentest for security vulnerabilities
- Invest in extensive training on security policies for all employees
- Facilitate cooperation between departments when it comes to cybersecurity
- Thoroughly vetted third party suppliers and vendors and monitor for supply chain vulnerabilities
- Consider hiring a digital MDR to deal with the multitude of digital risks
Costs of poor cybersecurity in retail are high
Nearly one in three retailers have suffered revenue losses from a cyberattack, and all retailers rightfully perceive targeted attacks, fraud and DDOS attacks as the greatest risks facing their business. Retailers thus need to immediately adapt to the realities of digital risk if they want to continue to transform their online sales efforts. If they don’t focus on protecting their online channels now, their financial and brand reputation losses will only increase down the road.
The retail industry continues to see significant annual increases in the cost of data breaches. In 2014, the average cost of each breached record was $105, and that figure rose to $165 in 2015. The breach cost of $172 in 2016 exceeded the mean across all industries, which stands at $158.
The costs associated with a data breach include the hiring of consultants to review an attack, damages paid to consumers affected by the breach, and a $50-$90 fine per cardholder data compromised from the banks. It would hardly be surprising if these costs continue to climb the next few years as digital risks also increase.
Brand reputation also suffers when data is compromised. A KPMG survey revealed that 33% of consumers will stop shopping at a retailer within three months of a cyberattack out of the fear that their data will also be at risk.
New threats require specialized tools
All it takes is just one breach to dent consumer confidence and expose a company to great financial loss. If retailers want to keep transforming their business with digital initiatives, they need to invest in strong cybersecurity.
To address this growing need to cover digital risk, a new breed of service providers laser focused on detecting digital risk blind spots has emerged. Digital MDRs are focused on protecting businesses from cyber threats by comprehensively and continuously monitoring risk across digital channels: social, mobile and web. To learn more about digital MDRs request a demo with one of our experts.