Last year, more than 40 million retail records were lost or stolen. And the recent Beyond the Phish Report revealed users in the retail industry incorrectly answered nearly 40% of questions about properly securing and disposing of sensitive data. Retailers have placed an increased focus on securing customer records and reducing breach incidents following major industry breaches in 2014. However, retailers are in a unique situation from other industries when it comes to security breaches. Yes, it is damaging to the brand; however, history shows us that after the media coverage subsides consumers will continue to shop at these locations after a breach. Where the true cost comes in both the tactical costs of responding to an incident (e.g. PCI-DSS) and the interruption of sales and the overall distraction for the customers and the employees. The retail industry often operates on thin margins, so what can organizations do now, and in the future, to create that cybersecurity-aware environment for employees – which ultimately helps increase the level of protection around customer records?
As we kick off the holiday shopping season soon with Black Friday and Cyber Monday, retailers should give all staff who are exposed to sensitive data – including seasonal employees– a refresher on security awareness. This refresher should be a pep talk reinforcing how increased sales and revenue creates an ideal target for cyber criminals. For example, with the rush and confusion of the holidays, it’s much easier for a bad guy to put a skimmer on a POS device or to swipe hardcopies of sensitive data. Take the time to educate employees on cybersecurity during the training process. This training doesn’t have to be incredibly time intensive – in fact, it is not recommended to put a long boring video in front of an end user. Engage them in a session that is story-based, quick, and enlightening that will stick with them even during that holiday rush.
However, the best approach to security awareness and training for retail enterprises is similar to any other industry. This includes a methodology that emphasizes regular assessments, education, reinforcement, and measurement to provide organizations the best opportunity to create measurable improvements, regardless of market. At Wombat Security, the retail program for security awareness and training we put together highlights some key differences in strategy and planning that are designed to help these retailers identify and target critical areas first.
With this new program, we are really encouraging retail enterprises to focus on the areas that are not only the biggest knowledge gaps, but also have the greatest potential to do harm to their businesses. Protecting customer and payment card information is, quite frankly, the “security bread and butter” of retailers. We have seen organizations that have failed to do that suffer on both the legal and consumer confidence fronts. That is why we emphasize data protection and PCI-DSS principles – along with other key cybersecurity topics – in this program. At Wombat, we’ve worked to truly enable organizations to be strategic in their program design through our security awareness and training platform.
So how can retailers know if their security awareness and education program is actually effective? Naturally, one of the ways we see our customers and others in the industry measuring program effectiveness is by conducting regular phishing simulations and knowledge assessments. Phishing simulations are a particularly good gauge to end user vulnerability to attack. However, I’d caution that this is far from the only – or even the best – indicator of success. Retailers should look to track security metrics that directly impact costs, including malware infection rates pre- and post- training, and successful phishing attacks from the wild. These incidents require remediation efforts and lead to employee downtime, so improvements in those areas are clear indicators of ROI. There are also “softer” indicators that speak to a return on education efforts. Increased reporting of suspicious messages is one of those factors. If you have end users who are being proactive about reporting potential phishing messages, you know you are widening your cybersecurity defenses, which helps your response teams identify and remediate threats more quickly.