Retail cyber security a CEO priority
Chief Information Security Officers (CISO) have become more common on companies’ senior leadership teams. They might be in even higher demand after the highly publicized data breaches at Target, Home Depot, Neiman Marcus and other companies in the past couple of years (see a timeline of data breaches in the past decade here). In fact, Neiman Marcus just hired its first CISO, Sarah Hendrickson.
Given the pressing cyber security issue for retailers, our team at Wharton’s Baker Retailing Center recently invited Christopher Yoo, the John H. Chestnut Professor of Law, Communication, and Computer and Information Science at the University of Pennsylvania’s Law School and Director of Penn’s Center for Technology, Innovation & Competition, to speak to our advisory board, which is composed of leading retail CEOs and C-suite executives.
Professor Yoo said that retailers are essentially tech companies, and the security of their IT and data systems needs to be front and center for retail CEOs. It’s not just a tech, legal or marketing issue any more. He pointed out that the Internet was created to be open and that security add-ons can help only so much. Retailers have become a new prime target for increasingly fast and aggressive cyber attackers as financial services companies, another rich source of customer data, have ramped up their investments in security.
Recently attacked retailers should be among the most breach-protected companies after dealing with the hacks. However, they have to be prepared for financial repercussions, including from class action lawsuits by affected consumers and shareholders, which are causing huge impending liabilities. The legal policies are murky, and terms such as “adequate IT systems” leave room for interpretation in lawsuits. Also, cyber insurance companies will try to minimize the claims they have to pay to their corporate clients, and credit card companies will increasingly transfer responsibility to retailers.
So what are solutions for the data security issue? The government has hired “grey hats,” skilled hackers that counteract attacks. What complicates the situation is that many attacks are from overseas, outside the USA’s jurisdiction.
While it’s not feasible to build hack-proof systems, as Professor Yoo pointed out, he made suggestions to proactively manage the problem.
IT-savvy management. Retail CEOs need to know what customer data their company collects and thus what the company’s exposure is. The better CEOs are familiar with the risks and potential implications, the easier it will be to focus attention and resources on the issue, in companies and across the industry. CEOs should share a plan with their board as to how to preempt data security issues.
Foster industry collaboration. Custom software built in-house is a sub-optimal solution since it’s mostly too vulnerable because of the limited internal expertise to handle complex and fast-evolving tech issues. Therefore, joining forces to create standardized solutions for the retail industry and represent retailers in policy discussions might be the best way forward.
Invest in data security. Data security is really an investment in protecting customers’ trust by preventing data breaches. Old POS systems are one of the most vulnerable links in retailers’ IT operations and are known access points for malware. In fact, a third of all retail data attacks happen in stores (see this Verizon Data Breach Investigations Report for more detail). Upgrading to the latest POS technology should be a priority and reflect in the budget. Today only 4% of retailers’ IT expenses is spent on security (health care: 5.6%, financial services: 5.5%), and IT budgets on a per-employee basis are a fraction of those in other industries.
Review and update IT architecture and policies.Interfacing with vendors’ systems, for example, can increase the vulnerability of an IT system. The same holds for employees’ personal devices such as cell phones or laptops that connect to a company’s IT infrastructure. In China, some people have a work and personal phone to manage IT security risks.
Partner with external experts. Leverage the expertise of external parties that focus on cyber security services. Better yet, engage multiple partners to have access to a variety of experts and solutions. Before hiring outside partners, conduct an internal audit to determine what can be outsourced. Professor Yoo also posed some questions that retail CEOs should consider:
Besides the increased need for executives with multi-disciplinary qualifications—the University of Pennsylvania has a new joint law and engineering degree, as Professor Yoo pointed out—and greater cross-functional collaboration, here are marketing and customer relationship aspects to think about.
Restoring customer trust after a data breach
A data breach can be a PR nightmare. It can harm customer trust, loyalty and brand value. Consumer surveys by Experian and CreditCards.com report that roughly every other shopper is likely or is considering avoiding retailers that experienced data breaches. Although this share of post-breach boycotters may really be lower, especially longer-term, considering customers’ retailer preferences and cyber attacks being a widespread issue, it’s very important to handle a data breach appropriately to control the damage. This includes fixing the source of the breach, prompt communication with affected customers and, depending on the case, replacing breached credit/debit cards and providing free ID protection and credit monitoring.
Smart ‘big data’
To lower the potential damage through a breach, a key question is how much customer data companies really need to collect for their analytics and marketing objectives. Which of the collected data is currently used? While there is enough data storage space (even vacant mall space is now being used for data servers), keeping less data reduces costs and companies’ financial and customer risk.
Transparency and giving customers data control
Could it be a win-win to offer customers the option to edit data stored and collected about them (similar to Axciom’s AboutTheData)? According to a PwC study, 80% of consumers are comfortable sharing personal data if companies are transparent about its use, and they value the benefits of data sharing such as receiving personalized services. However, 91% of women and 84% of men want to be able to manage the information shared.
Given the pressing cyber security issue for retailers, our team at Wharton’s Baker Retailing Center recently invited Christopher Yoo, the John H. Chestnut Professor of Law, Communication, and Computer and Information Science at the University of Pennsylvania’s Law School and Director of Penn’s Center for Technology, Innovation & Competition, to speak to our advisory board, which is composed of leading retail CEOs and C-suite executives.
Professor Yoo said that retailers are essentially tech companies, and the security of their IT and data systems needs to be front and center for retail CEOs. It’s not just a tech, legal or marketing issue any more. He pointed out that the Internet was created to be open and that security add-ons can help only so much. Retailers have become a new prime target for increasingly fast and aggressive cyber attackers as financial services companies, another rich source of customer data, have ramped up their investments in security.
Recently attacked retailers should be among the most breach-protected companies after dealing with the hacks. However, they have to be prepared for financial repercussions, including from class action lawsuits by affected consumers and shareholders, which are causing huge impending liabilities. The legal policies are murky, and terms such as “adequate IT systems” leave room for interpretation in lawsuits. Also, cyber insurance companies will try to minimize the claims they have to pay to their corporate clients, and credit card companies will increasingly transfer responsibility to retailers.
So what are solutions for the data security issue? The government has hired “grey hats,” skilled hackers that counteract attacks. What complicates the situation is that many attacks are from overseas, outside the USA’s jurisdiction.
While it’s not feasible to build hack-proof systems, as Professor Yoo pointed out, he made suggestions to proactively manage the problem.
IT-savvy management. Retail CEOs need to know what customer data their company collects and thus what the company’s exposure is. The better CEOs are familiar with the risks and potential implications, the easier it will be to focus attention and resources on the issue, in companies and across the industry. CEOs should share a plan with their board as to how to preempt data security issues.
Foster industry collaboration. Custom software built in-house is a sub-optimal solution since it’s mostly too vulnerable because of the limited internal expertise to handle complex and fast-evolving tech issues. Therefore, joining forces to create standardized solutions for the retail industry and represent retailers in policy discussions might be the best way forward.
Invest in data security. Data security is really an investment in protecting customers’ trust by preventing data breaches. Old POS systems are one of the most vulnerable links in retailers’ IT operations and are known access points for malware. In fact, a third of all retail data attacks happen in stores (see this Verizon Data Breach Investigations Report for more detail). Upgrading to the latest POS technology should be a priority and reflect in the budget. Today only 4% of retailers’ IT expenses is spent on security (health care: 5.6%, financial services: 5.5%), and IT budgets on a per-employee basis are a fraction of those in other industries.
Review and update IT architecture and policies.Interfacing with vendors’ systems, for example, can increase the vulnerability of an IT system. The same holds for employees’ personal devices such as cell phones or laptops that connect to a company’s IT infrastructure. In China, some people have a work and personal phone to manage IT security risks.
Partner with external experts. Leverage the expertise of external parties that focus on cyber security services. Better yet, engage multiple partners to have access to a variety of experts and solutions. Before hiring outside partners, conduct an internal audit to determine what can be outsourced. Professor Yoo also posed some questions that retail CEOs should consider:
- What data does your company hold, for what reasons, and for how long?
- What software do you create in-house?
- Who in your company owns cyber security? Is there sufficient staffing, training and empowerment?
Besides the increased need for executives with multi-disciplinary qualifications—the University of Pennsylvania has a new joint law and engineering degree, as Professor Yoo pointed out—and greater cross-functional collaboration, here are marketing and customer relationship aspects to think about.
Restoring customer trust after a data breach
A data breach can be a PR nightmare. It can harm customer trust, loyalty and brand value. Consumer surveys by Experian and CreditCards.com report that roughly every other shopper is likely or is considering avoiding retailers that experienced data breaches. Although this share of post-breach boycotters may really be lower, especially longer-term, considering customers’ retailer preferences and cyber attacks being a widespread issue, it’s very important to handle a data breach appropriately to control the damage. This includes fixing the source of the breach, prompt communication with affected customers and, depending on the case, replacing breached credit/debit cards and providing free ID protection and credit monitoring.
Smart ‘big data’
To lower the potential damage through a breach, a key question is how much customer data companies really need to collect for their analytics and marketing objectives. Which of the collected data is currently used? While there is enough data storage space (even vacant mall space is now being used for data servers), keeping less data reduces costs and companies’ financial and customer risk.
Transparency and giving customers data control
Could it be a win-win to offer customers the option to edit data stored and collected about them (similar to Axciom’s AboutTheData)? According to a PwC study, 80% of consumers are comfortable sharing personal data if companies are transparent about its use, and they value the benefits of data sharing such as receiving personalized services. However, 91% of women and 84% of men want to be able to manage the information shared.