Fostering a Cybersecurity Culture to Avoid Retail Apocalypse

Retailers had been closing or announcing bankruptcy in droves for years, and then the pandemic hit, and for many the situation got worse. As consumers went online en masse to do the bulk of their shopping, brick-and-mortar retailers had to scramble to avoid losing sales. Even digital retailers found themselves faced with challenges disguised as opportunities in the form of spiking demand for certain types of products.

In 2019, Business Insider reported that 9,300 stores were predicted to shut down and 1.3 million retail employees lost their jobs in the second decade of the twenty-first century. Last year, many retailers were obligated to shut down unless deemed to be “essential.”

Thankfully, reports indicate that things are picking up. Consumers have shown pent-up demand, according to the National Retail Federation, after being locked down for many months with stimulus funds burning holes in their pockets.

Retailers are noticing. But so are cybercriminals.

Retail a Top Target for Cybercriminals

Retailers have long been a favored target for cybercriminals. Whether brick-and-mortar, or partially or fully online, retailers hold a lot of sensitive consumer information that cybercriminals are itching to get their hands on—and have a lot of technology and data at risk of being hacked. Those risks can be significant.

Here’s a statistic that is likely to both surprise and frighten you: 80 to 90% of all logins to retail digital commerce sites come from hackers with the sole purpose of accessing and using stolen data. Yes – you read that correctly.

Those access points are also increasing, not only online, but in-store as well. Retailers are increasingly making use of a wide range of technology devices including smartphone apps, facial-recognition cameras, in-store self-service kiosks and Internet of Things devices like smart beacons that capture data of various kinds.

Consumers are largely unaware of just exactly how much information retailers are gathering about them and the risks they may face. 

Retailers are eager to find the right balance between fulfilling customer needs and increasing security. And, in the process, they must adhere to a wide range of security rules and regulations that are continually growing and changing.

Retail Best Practices: Communication and a Strong Security Culture

Perhaps because they appreciate the inherent risk in holding consumer data that should be viewed as a liability, retailers have done a fairly good job of communicating with employees across a wide range of roles about the security risks they face. Communication is, in fact, one of the strongest elements of most retailers’ cultures.

The retail industry has found ways to distribute relevant security-related content to their diverse audiences in ways that are meaningful and useful. It’s not a one-size-fits-all approach but a strategic undertaking that looks at each job function to determine what would be most helpful and actionable based on individual roles.

Retail Security Opportunities for Improvement

While retailers are, by and large, doing a good job of training employees based on their job roles, what isn’t as well addressed are the unwritten rules related to security. Businesses not only need to ensure that employees understand these unwritten rules but also that they’re able to apply common sense as they encounter unanticipated experiences that may put data and infrastructure at risk.

Emphasizing training in both dimensions is an important best practice, particularly in this increasingly digital and remote environment. But even more important than training is establishing a solid security culture.

Security culture is a critical, need-to-have asset in every retailer’s toolbox. By assessing employees’ security awareness and behaviors, organizations can adapt their policies and training programs to the constantly changing landscape of threats.

The Critical Role of a Strong Security Culture

Security culture is impacted by a range of organizational and individual factors that include:

• Employees’ attitudes about security protocol and issues
• Employees’ actual behaviors and actions
• Employee understanding and knowledge related to security issues
• The quality of organizational communication channels and messaging
• Employee awareness of the unwritten rules of conduct that impact security
• How employees view their role as a critical factor in protecting security

Through a strong security culture, security awareness becomes not an event but a process. While the majority of security leaders in retail settings understand this, many are challenged to institute, impact, and sustain a strong culture of security. In truth, it’s not something that they can do on their own—or even a mandate that belongs solely to them.

Building and sustaining a strong security culture is the responsibility of everybody in the organization. IT leaders are important catalysts, but they need senior leadership support and access to the resources—people and awareness training—needed to get the job done.

How is your organization doing with that?

Perry Carpenter is Chief Evangelist and Security Officer for KnowBe4. Photo above by Kevin Jarrett.