Is retail cybersecurity adequate this holiday shopping season?

bank-blur-business-259200

Originally published in American City Business Journals

By Thad Dupper

For online retailers, the holiday shopping season is off to its best start in ecommerce history.

Combined sales from Thanksgiving Day and Black Friday were said to be $7.9 billion, up nearly 18 percent from last year, according to Adobe Analytics. Cyber Monday sales reached a record $6.5 billion, up nearly 17 percent from a year ago.

Meanwhile, cyberattacks —  whether from criminals or other actors — have doubled over the last year, with ransomware attacks increasing 250 percent in 2017 alone.

With IoT devices expected to be a hot gift item this season, hackers will have access to more potential points of incursion than ever. And as we have seen just recently, even using Uber can expose consumers’ identity and financial information.

While the growth of both online sales and cyberattacks isn’t surprising, what continues to be a concern is whether spending on cyber defenses is keeping up with the threat.

According to a survey from KPMG unveiled last year, 55 percent of senior retail security executives said they haven’t invested enough capital funds in cybersecurity protection in the last year, and 42 percent didn’t even have a designated leader in charge of information security. I imagine there has been some improvement in those numbers, but not nearly enough or fast enough.

Retail isn’t alone in this, of course. In fact, the industry ranks seventh behind financial services, utilities and energy, defense, technology and software, health care, and manufacturing in terms of potential cyberattack losses.

With threats doubling every year so should investments in cyber protections

You’ve probably heard of Moore’s Law, the observational principle that essentially states that computing power doubles every two years. This means that technology has improved at a breakneck pace while also making gadgets cheaper and easier to acquire for consumers.

Today, we can identify a new observational law built on a similar principle: As the number of cyberattacks doubles every year, so should the amount of investment in cybersecurity measures.

As Marc Sorel of McKinsey’s Cyber Solutions has said: “I think actually we’ve seen an acceleration of that gap growth between the attackers and the defenders. You can look at it any number of ways, but probably the best way is in terms of time to exfiltrate against time to quarantine. Time to exfiltrate is how fast it takes me to get in and get what I’m after if I’m an attacker. Time to quarantine is how long it takes me to stop you once I know you’re there. If you very simply look at those as two line graphs…the gap between them is getting broader in favor of the attackers.”

Hackers and other malicious groups seek to create mayhem. This may come in the form of information theft, but it also can include DDoS (Distributed Denial of Service) attacks, which aim to disrupt web services and create downtime, and Pseudo Random Subdomain attacks (PRSD) that can degrade performance to make access to many popular websites practically unreachable.

On Black Friday, Macy’s was unable to process credit cards and gift cards in stores and on its website, leading to deep customer frustration. The company attributed the problem to a “capacity issue” and said it was resolved the same day. Analysts are already predictingthe glitch could cost the retailer with customers.

Those who lag on making cybersecurity investment risk lasting damage

Losing out on sales during the holiday shopping season would no doubt be a blow for any retailer, but what is much more concerning is the lingering damage cyberattacks can inflict. It’s not just about the bottom line anymore; it’s about consumers trusting the brand.

Retailers are missing huge opportunities because they haven’t done enough to create consumer trust in their cybersecurity preparedness. KPMG found in its survey that 33 percent of shoppers would avoid breached retailers for at least three months. Another 19 percent say they would abandon a retailer entirely that had been the victim of a major cyberattack, even if the company had taken steps to fix the problem.

But we shouldn’t think it is all pessimism for online retailers. There are many who will pass the test with flying colors, and the United States overall has done a good job investing in cybersecurity measures, ranking third behind Germany and Japan, according to research by Accenture. Leading companies are focusing their cybersecurity spending on solutions that prevent malware, web-based and denial of services attacks, followed by measures to prevent phishing and ransomware attacks. And cybersecurity doesn’t just confine itself to protecting from external attacks. Increasingly, companies are enhancing their internal security processes to defend against malicious insider attacks as well.

Making customers feel safe requires continual investment

The truth is, online shopping will continue to grow, even in the face of more daring cyberattacks and data breaches. Consumers like the online experience, but clearly they will spend more with someone they trust.

Where retailers and organizations alike can benefit is by ensuring they do not have any single points of failure. To that end, many companies are looking to install redundant cyber solutions from a variety of vendors to achieve diversity in their cyber protection.

The critical lesson not for only retailers but for every enterprise is that they must be prepared to invest more in cybersecurity. They must also have the right leadership and they must add the necessary layers of technology across multiple sites to minimize vulnerabilities.

Cybersecurity is a journey, not a destination, and will demand constant vigilance.

Will you pass the test?

Thad Dupper is CEO of Secure64 Software Corp. Prior to that he was CEO of Evolving Systems Inc. He has more than 23 years of experience in the telecommunications technology industry with a track record of delivering innovative solutions to leading telecommunications companies.