Cyber vulnerabilities in the retail sector, always a hot topic during the holidays, require an examination of underlying economics and incentives that could drive improvements in retailers’ cybersecurity, according to an Internet Security Alliance assessment that tracks with the group’s prescription for shoring up cyber across critical infrastructure.
“The retail sector is one of the cornerstone industries of the U.S. economy, but growing advancements and dependence on internet and technology has brought major cybersecurity challenges firms must overcome,” ISA president and CEO Larry Clinton said in a Wednesday blog post.
“The cybersecurity issues are so pervasive that some research has suggested that as many as a stunning 80-90% of all the people who log into a retailer’s e-commerce website are hackers using stolen credentials. Cybercriminals are mounting attacks against retailers and reaping the rewards,” Clinton wrote.
The blog post is part of a running campaign by the ISA intended to spur a dialogue on re-evaluating the challenges and policy needs in cyberspace. Among the recent postings, ISA addressed small-business cybersecurity and the Pentagon’s cyber certification program.
Clinton wrote last week: “Retailers have been so enthused about how digital transformation can enhance their businesses model that many of them have not focused on the negative repercussions that come from it, poor security. Retailers, operating in an intensely competitive market with low profit margins are driven to provide the customer with a positive experience at the expense of application for security.”
Market forces “driving an underinvestment in security are reinforced by typical consumer behavior,” according to Clinton, who explained, “The customer turnover rate is the rate that a customer is willing to take their business elsewhere due to a data breach. The turnover rate in retail is only 2.4 percent. That is roughly one-third the turnover rate in the healthcare sector, 7 percent, and less than half the turnover rate in financial services, at 5.9 percent.”
According to Clinton, “This means that customers in the retail sector are less likely to stop shopping at retail firms when they are made aware of a security breach, further incentivizing retailers to provide lower costs for customers and better customer experience instead of improved cybersecurity.”
Clinton concluded: “As long as retailers are continuing to see economic gains by applying new technological tools, and not losing customers even when they’re breached, they will likely continue to be underprepared for the highly probable cyber-attack. It is important that we establish the incentives for greater security when the economics do not allow it and increase costs on cybercriminals to make attacks against retailers less palatable.”
The ISA social media campaign will include regular social media postings identifying problems, what adversaries are doing in cyberspace, systemic risks and why current efforts are failing, culminating in a set of recommendations on what should be done.
Clinton has long advocated for a systemic examination of the threats in cyberspace, weaknesses across critical infrastructure and the urgent need to assess cybersecurity policy though an economic lens, with an eye on incentives to bridge gaps between security investment and desired end points.