Deloitte: Retailers have false sense of cyber-security

A majority of companies, including retailers, are confident about cyber-security, but their confidence may not be justified.



That’s according to “Cyber Risk in Consumer Business,” a report from Deloitte. The report is based on input from more than 400 CIOs, CISOs, CTOs and other senior executives.



According to the study, more than three-quarters (76%) of consumer business executives are highly confident in their ability to respond to a cyber incident. Yet, many face issues that critically impair their ability to do so.



For example, a majority of executives surveyed (82%) indicated their organization has not documented and tested cyber response plans involving business stakeholders within the past year. Less than half (46%) said their organization performs war games and threat simulations on a quarterly or semiannual basis. One quarter (25%) reported a lack of cyber-funding, while roughly one in five (21%) lack clarity on cyber mandates, roles and responsibilities.



“In the study, we found that just 30% to 40% of companies currently investing in platforms, such as consumer analytics, cloud integration, connected products and mobile payments have mature programs in place to address related risks,” said Barb Renner, vice chairman, Deloitte LLP and U.S. consumer products leader.



“Many of these technologies involve a broad set of data types that could expose consumers to much more than stolen credit cards and identity theft,” she added. “Beyond customer data, the risks can range from protecting food safety in manufacturing and supply chains to intellectual property of new products and formulas. Allowing cyber response planning to lag can undercut the upside of investments in advanced digital technologies. It can become a one step forward, two steps back proposition to pursue advanced technologies without equal attention to cyber threats.”



Companies may also underestimate the importance of consumer trust. When thinking about potential cyber incidents, consumer product companies surveyed seem to be primarily concerned with production disruptions (48%) and loss of intellectual property (42%), while 16% are concerned with tarnishing brand perceptions related to trust.



Many U.S. consumers already express heightened security concerns, with a startling number going so far as to delete mobile applications and avoid websites, which can threaten a critical engagement touchpoint for consumer businesses. In 2016, roughly 80% of U.S. consumers felt they have lost control over how their personal information was being used by companies.



“News of breaches cannot only threaten sales of a particular product or brand, but can tarnish broader perceptions consumers have toward connected products in general — jeopardizing billions in future sales growth,” added Renner.



Another potential risk and reward scenario accompanies the interactions between customers and consumer businesses: connected products. These devices may increase the points of entry, opening the door to cyber breaches that can arise anywhere across the entire connected ecosystem, including consumers and third-party vendors.



Among executives surveyed, 32% are not confident their cyber risk management program is effective in maintaining their strategy to develop and market connected products. Their concerns don’t stop there. Changing regulatory requirements are the top concern of 74% of those who deploy connected products, followed by intellectual property theft (71%) and theft of consumer information (66%).



“With less than one-third of companies believing their cyber risk management is effective when it comes to developing connected products, we believe the principle of ‘security by design’ can be an effective strategy,” said Sean Peasley, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. “By embedding security considerations further upstream in the development process, connected products can be more resilient to cyber threats enabling them to not only make it to market, but stay on the market, potentially avoiding costly and time-consuming recalls and regulatory delays.”



And the top data concern of late: intellectual property. Second only to financial theft, this rising concern is generally mirrored across consumers businesses. To date, IP theft has largely remained in the shadows of more familiar cyber-crimes, such as theft of credit cards and other personally identifiable information, the study said.