The holidays are a busy retail season – for both the consumer and the retailer. Technology impacts nearly every aspect of the retail experience – from online browsing and in-person geolocation advertising – and it requires mobile payments. And with these technologies comes risk – cyber risk, specifically – to both the consumer and the retailer. According to the Chubb Cyber IndexSM, we’ve seen more than a 50% increase in incidents for retailers over the past five years, and the average incident response cost for incidents in the retail industry in the last three years cost close to an average of $600,000, including nearly $500,000 in forensic fees.
And unlike other industries, retail touches every demographic and operates with known ebb and flow seasonality. Should a cyber incident occur during a high traffic period, such as the holiday season, it could wreak havoc on a business’s bottom line or even put them out of business completely – not to mention the impact of how an organization responds on their reputation with their customers and employees.
So what can a retailer do to help mitigate this risk?
- Tip 1: Manage your data. Knowing what data your organization collects and maintains, and how long it is being maintained, is critical to determining your risk profile. Creating a data map and a data-retention policy will help your organization manage this crucial information, and will help to protect it in the event of a data crisis.
- Tip 2: Understand the regulatory landscape. The regulatory landscape in the U.S. and abroad is growing as quickly as the cyber threats. Knowing and managing your regulatory requirements is critical to ensure compliance and avoid sanctions or fines. An organization’s regulatory burden can be complex and varies greatly depending on the type of business, the location of the business, and the location of its customers. It is important for every organization to understand their regulatory obligations before an incident occurs.
- Tip 3: Secure your network environment. Defending your system is no longer an option; it is an obligation. Basic precautionary measures such as installing two-factor authentication for employees, and possibly customers, using chip-enabled card technology and using end-to-end encryption are just some of the basic security measures to consider. The end of the year is a perfect time for a security check-up and to shore up your defenses for the coming year.
- Tip 4: Educate your employees – even your seasonal employees. A weak spot for all organizations is poor cyber hygiene, which usually stems from the organization’s employees. Using the same passwords for every account, blindly clicking links in emails, and failing to use secure internet, are just some of the many ways that poor cyber hygiene can lead to a cyber incident. Simple steps such as training and using a password management program can lower this risk for organizations.
- Tip 5: Choose your vendor partners carefully. If your vendors are exposed, you are exposed and ultimately liable for any loss. Look for vendor partners who demonstrate strong cyber vigilance and who invest in a comprehensive cyber insurance policy. Remember, outsourcing your operations does not outsource your liability.
Lauren Gorte is Vice President, North America Financial Lines.