“The customer is always right.”
A good retail employee responds to customer concerns in a Pavlovian manner by trying to fix the problem. Maintaining quality customer service, however, can leave retailers open to data breaches. No matter your organization’s size, your company has to process, store, and transmit large quantities of highly valuable customer information. Hackers not only prey upon retail websites, but they use a variety of social engineering tactics to use your employees’ most valuable assets - their desire to provide exceptional service - to find ways to hack into your business.
No matter what retail sector you inhabit, you’re incorporating more mobile devices. Food and beverage retailers use point-of-service devices connected to smartphones and tablets. Apparel and homegoods stores monitor their backroom inventory using mobile applications. Research shows that retailers are looking to increase their use of cloud, big data, Internet of Things (IoT), and containers over the next few years. Using these resources increases customer service, but they come with inherent risks. Thale’s retail cybersecurity 2018 report found:
The good news is that, when compared to their retail cybersecurity 2017 report in which 68% experienced a breach and 73% planned to increase IT security spending, the numbers are trending in the right directions. In short, retailers are adding cybersecurity protections and experiencing decreased data breaches. In other words, cybersecurity trends in retail prove you’re working to find the cyber security solutions that promote customer trust.
And yet, employees pose the biggest security risks in a retail environmentBlaming employees for some of the information security risks in retail seems like an easy answer. Some information security professionals may profess in dire tones, “end-users are the biggest threat.” While that may be true, we also need to recognize that password hygiene only goes so far, especially in the retail environment. Three scenarios that put your data at risk also highlight the way your employees get hacked simply for doing their jobs well.
Your employee finds a USB drive on the floor of a dressing room. Wanting to help find the owner, they plug it into one of your computers looking to see if they can find information that lines up with your customer database. Little do they realize, a hacker dropped that USB on purpose for just this reason. The flash drive has malware on it that auto-loads when inserted. The minute your employee tried to help, they unwittingly uploaded that malware to computer. That computer can now infect your entire network.
A dissatisfied customer emails your company. Your employee, tasked with responding to questions and concerns, opens the email. The customer has included a downloadable file with a receipt as proof of purchase. Your employee opens the file to track the purchase. However, that “customer” is really a hacker who placed ransomware in the file which upon opening infected the computer. That computer can now infect your entire network.
Your employee is restocking shelves and updating the inventory database via smartphone. A customer asks for help to reach a high shelf. Your employee immediately puts down the smartphone, turns their back, and grabs the item. Meanwhile, the “customer” grabs the smartphone and scans for information. The private information stored on that smartphone is now breached.
The scenarios above sound ridiculous. Who really tries to drop a USB and hope for the best? Who would pretend to be vertically challenged? Hackers do. All the time. Social engineering focuses on finding what people want to do and exploiting that desire.
Blaming employees for trying to do their job well feels counterintuitive as a business owner, yet in the security realm, we often blame the end-users for the data leaks. Thinking like a hacker to protect your business requires you to carefully balance good service and safe service.
As a first step, you have to let your employees know that it’s ok to be skeptical. They need to know that you support them when their spidey-senses tingle. Whether they fear being fired or just disappointing you, they may not stop to ask questions if they feel uncomfortable about a customer service situation. In a world of Yelp and Google, five star reviews may seem like the alpha and omega of business survival. In reality, speedy service and helpful front-line staff can compromise data security. Teach your employees to treat all suspicious customer interactions the same way. Just as they would question a return item that looks worn, they need to question devices left on the floor or customers asking to look at a screen for information.
Your employees understand the monetary value of devices incorporated into your business processes, but they may not always realize that the information is equally important. Whether it’s a mobile inventory database or payment screen, you need to stress the importance of keeping prying eyes off your data. Traditional approaches to cyber threats to retail industry focus on external digital infiltration. However, physical devices increasingly pose a threat as hackers seek to find new ways to steal information.
Engage in role-playing so your employees know how to politely respond before helping a customer, while they discreetly turn off the device . Whether they use a Square-enabled iPad or a job-specific device, employees should learn appropriate ways to balance responding to customers while also ensuring secure device use and behavior.
All those mobile devices you’re using connect to cloud services. At the same time, hackers now use legitimate services to get into your data. As a retailer, you’re using probably using Amazon Web Services (AWS) or another cloud storage such as Dropbox or Google Drive to share information across the business. As a business, you want to reduce redundancy, but as an employer, you need to manage malware infections coming through legitimate cloud services.
Focus employee awareness on using only the devices you supply them and make sure you incorporate encryption on those devices. If you can’t do that, make employees aware that a malware intrusion on a device makes their jobs more difficult. Security needs to be personalized to make it relevant. Don’t just threaten, enable.
Your employees understand how to treat shoplifters. They know the reporting chain of command. In 2018, the National Retail Security Survey noted that the average retail dollar loss from robberies continued a three-year decline trend. Retailers are doing an amazing job at loss prevention shoplifters, but they’re loss prevention strategies need to incorporate cybercrime.
You need to empower your employees by incorporating data loss as part of the inventory shrinkage reviews that you routinely do with them. Data has monetary value, just like the items you sell. Empowering your employees to prevent data breaches means aligning your loss prevention team to your retail cybersecurity solutions.
Training employees effectively means getting them invested in the data security process. Cyber security in retail industry sectors means empowering employees with information. Even though training covers phishing emails and mobile device social engineering attempts, your employees may not recognize an attack attempt that looks like an official customer.
Help desks and customer service representatives need to understand that not all complaints are legitimate. They need to be carefully taught to maintain the “trust but verify” mentality that leads to a data security program.
At Zeguro, we get it. We see you and understand how hard you’re working to secure your information. We also know the rising cost of retail security breaches stress startups. Our You First approach to managed cybersecurity services focuses on letting you drive your own bus while we fill the gas tank. At Zeguro we focus on three rules of transparency:
Honesty: We’ll always tell you the truth about your data protections to help you defend against retail industry cyber attacks.
Clarity: We make it easy for you to empower your employees by offering training solutions that simplify complex cybersecurity concepts to make learning effective.
Simplicity: Our training modules include mobile device protection and removable media (USB drive) threats using an easy-to-navigate approach.
Security threats in retail business continue to plague small and mid-sized organizations. Incorporating an overarching strategy to protect your data by empowering employees means you won’t end up another data point in the next retail cyber security statistics report.