Payment card data has long been a target for cyber criminals, but over the last 12 months we have seen major compromises in the US retail sector.
Payment card data has long been a target for cyber criminals, but over the last 12 months we have seen major compromises in the US retail sector with tens of millions of card details being stolen by sophisticated attacks on electronic point of sale terminals.
Cyber security often finds itself low on the priority list for a retailer operating on tight margins - indeed only 6% of the IT budgets for retailers are spent on security (according to the annual security information security breach survey by UK government) - but this needs to change as more retail moves online and criminals become more cyber-savvy.
The retail sector has an insatiable thirst for customer data for targeting marketing and tailored services, but we should ask ourselves whether the controls around “big data” and data warehouses are really up to scratch. While a cyber-criminal may not be able to turn this into cash immediately, this can provide a gold mine for identity theft and downstream fraud even if the eventual target is not the retailer who leaked the information in the first place. Furthermore retailers are also diversifying their offering into the healthcare, insurance and banking space, which means they hold more of shoppers’ login, payment and other details than ever before.
While it is tempting to disown responsibility, there is growing pressure to disclose breaches of customer data (which will become law when the new EU data protection regulation is enacted). We also see the first signs of banks seeking to recover damages from retailers who have been less than careful with payment card data. But most of all, this can have a reputational impact which damages brand and the trust customers place in the retailer, as well as leading to some very inconvenient media appearances for senior executives.
With this in mind it is alarming that figures from last year indicate that the IT spend by retailers on security is so low - lower than any other sector in the UK. Many of our retailers are lagging behind their US counterparts in protecting customer data, perhaps because we have yet to see the scale of attacks our US cousins have experienced, but we need to guard against complacency. This isn’t a competitive issue and retailers need to recognize that cyber security breaches can hurt the entire sector. Consumers also need to be encouraged to play their part in enabling retailers to act appropriately to protect their data.
A large scale breach targeting a UK retailer would damage trust across the whole sector. Questions remain around whether retailers are taking a broad enough view on cyber security. How can retailers and customers work together effectively in order to prevent a major data breach?
- Del Heppenstall is from KPMG’s Information Protection and Business Resilience group
Five top tips for improving cyber security:
- Asses where your critical assets are, and what they are vulnerable to
- Control the insider threat through improved security awareness (employees and customers).
- Implement a programme of third party security assurance to manage cyber risk
- Segregation / secure configuration of infrastructure and applications holding sensitive data (customer, employee, financial, M&A etc.)
- Embed security into business change management processes, technology)