Retail risk management is about much more than security cameras, mall cops, and theft insurance policies. COVID-19 lockdowns forced the retail industry to focus on its e-commerce operations, with sometimes drastic and quick changes to move as many transactions online as possible.
Such changes have considerable implications for good risk management. And some businesses that ignored those implications later paid a high price when attackers stole customers’ credit card information or wreaked havoc with store inventory.
In some ways, COVID-19 created the perfect circumstances for hackers and scammers. Online transactions mushroomed, generating a juicy target for hackers looking to purloin confidential data. Meanwhile, the rush to lockdown physical stores and expand online operations created all sorts of ways for businesses to overlook important safeguards they should have taken. And the attackers knew that.
According to Total Retail, these three types of cyberattacks against the retail industry are the most common:
- DDoS (distributed denial of service). More than 20 percent of all attacks against online retailers are DDoS attacks that flood the computer server with requests for service and make it crash. Sometimes the cyberattacker will ask for a ransom to stop the attack. Paying, however, means you’re more likely to get attacked again in the future.
- Payment card fraud. Another 20 percent of all attacks involve the use of fraudulent gift cards and credit cards. These attacks are popular with cybercriminals because they guarantee immediate gratification.
- Inventory hoarding. This is considered a more sophisticated attack, and counts for roughly 15 percent of cyber attacks. A bot attacks the site and lists items as not available, even though they are in stock. This is also known as “inventory denia”l and can go on for quite some time before being detected.
Given that escalated threat landscape, now is a great time to develop an enterprise risk management (ERM) program to protect your customers’ data, that of your vendors and third-party contractors, as well as your own proprietary information and intellectual property.
Let’s take a look at how you can best do so.
- Identify and Assess Your Cybersecurity Risks
You can’t fix something if you don’t know where it’s broken, so the first step is always to assess and analyze: take a detailed look at your cybersecurity risks.
Here’s a checklist to get you thinking:
- Are your security system, internal cameras, or even the store thermostat connected to an application and accessible from anywhere? Cloud-first solutions are common, and can be hacked to allow access to your physical store or inventory warehouse.
- Who handles your point-of-sale data? Any vendor and subcontractor you interact with on a daily basis creates a third-party risk.
- Internet of Things (IOT) devices such as phones and computers increase your risk of a cyber attack.
- Hardware components connected via Bluetooth are prone to hacking because the connection lacks encryption.
- Networks that provide free access to wifi for customers are notorious for poor security monitoring. They create a new risk not just to the customer, but also to you, every time someone signs in.
- Remote work arrangements can be a huge risk when not managed correctly. Are you supplying a secure VPN connection to your mainframe system for your employees at home? Who else has access to that laptop you sent home with your employee, and do you know whether anyone else uses it?
- Do you monitor social media and check for imposter accounts that mirror your e-commerce site?
- Do you have and enforce a clean desk policy for employees both on campus and at home?
If this seems overwhelming, it may help to chart a typical order’s journey through your system from the time it’s placed until it lands on the customer’s front steps.
- Analyze and Immediately Remediate the Highest Risk Points
After identifying your cyber risks, analyze them. Physical stores are used to worrying mostly about shoplifting and employee theft, but need to apply a different risk assessment methodology when considering e-commerce risks.
Here are some examples of areas to scrutinize:
- Make sure IT systems are up-to-date with the latest versions of software you use. If they aren’t, update everything. Most software updates protect against new cyber threats.
- Take care that any credit card data and customer files are stored, accessed and processed in the safest manner possible. This includes using encryption and granting access only on an as needed basis.
- Make sure you are protected against malware and viruses and that automation is used where possible, as it cuts back on human error.
- Make sure your employees have the tools they need to keep your systems safe.
- Monitor and Respond
Retail risk management is an ongoing effort. Once you’ve secured the fort, so to speak, ongoing monitoring and response is next.
Communicate your risk management process to all employees, and make sure everyone knows how to report a potential cyberthreat. Establish a chain of command relating to how you will respond to a data breach, security threat or cyberattack.
Software solutions based on automation and artificial intelligence (AI) can help keep you ahead of the cybercriminals who are changing their offense as frequently as you change your defense.
If the attacker gets in and causes damage, how will you repair your systems, recover your data and increase its protection, and remediate your brand? Make sure you can answer that question before a cyberattacker gets in.
- Establish a Vendor and Third-Party Risk Management Program
The retail industry often ranks last among industries for application cybersecurity. Thale’s 2018 retail cybersecurity report provided these disturbing statistics:
- 50 percent of retailers said they had experienced a data breach.
- 84 percent of respondents planned to increase their spending on IT security.
- 85 percent of retail IT security professionals worked for companies storing sensitive data in the cloud.
The retail industry has no standardized framework for addressing security and the Internet of Things (IOT). And the cloud poses its own risks which should always be taken into consideration.
COVID forced many retailers to move online as quickly as possible, and for some this meant creating a whole new division within their business — often from scratch, and under great pressure to produce results quickly.
If you are one of the companies that went online in a hurry, now is a good time to assess how you manage risk associated with third-party vendors and partners. Here are some security points to consider:
- Query your vendors and contractors about their cybersecurity approach, and inform them of your standards and expectations.
- Make sure you know which vendors have access to any data your company is sharing.
- Ask about your vendors’ remote working policies, and how they protect their infrastructure from hackers and other cyber threats.
- Prepare for a potential data breach. Make sure you know how to respond to your customers and clients, as well as how to inform your employees.
- Have a flexible plan for how to limit the damage if a hacker gets into your system.
- Establish a clear chain of command internally and externally: how employees should report security and risk issues inside the company, and who will interact with your third-party vendors in case your own systems are compromised.
- Remember that risk management is an ongoing endeavor. Make it part of your best practices every time you engage a new vendor.
To modernize your IT infrastructure — essential for customer engagement — your retail enterprise must move beyond traditional compliance. Instead, you must embrace “security first” cybersecurity strategies.
ZenGRC: Worry-free retail-risk mitigation
ZenGRC eases the burden of retail risk mitigation, and collects the documents you need at audit time automatically. Our user-friendly solution as a service (SaaS) helps with the following tasks (and more):
- Streamlining workflows, including by integrating with ServiceNow and other popular workflow solutions
- Viewing compliance gaps on user-friendly dashboards, and knowing how to fix them
- Mapping controls to multiple frameworks, avoiding duplication of effort
- Mapping controls to frameworks, standards, and regulations
- Generating and sending vendor questionnaires, and collating the results
- Conducting unlimited in-a-few-clicks self-audits
- Storing audit-trail documents in our “single source of truth” repository
- Sharing risk management and compliance status with managers and the board
ZenGRC lets you manage and monitor your retail establishment’s security and compliance worry-free. Our automated solution does much of the work so you don’t have to. Instead, you can focus on your customers and your bottom line. To find out more, contact us for your free consultation today.
Discover the full power of ZenGRC!
A Guide to Completing an Internal Audit for Compliance Management
Which CMMC Levels Do I Need for My Business?
Top Considerations for Compliance Management Software
SOC 2 Readiness Assessments: Definition + Getting Started
Discover a more powerful yet simple solution
to risk and compliance.