Data enables growth – smart use of customer data can increase a retail operation’s bottom line by as much as 10%. But a data breach can wipe out value in an instant.
It’s not just ransom demands and downtime that retailers need to worry about. According to a recent study, 87% of consumers are already “very concerned” about how retailers use their personal information. The fines for non-compliance with consumer protection standards like PCI DSS and GDPR can be prohibitive, too – up to $100,000 a month in the case of PCI DSS.
Fortunately, there is a proven route retailers can take to better data security. In this post, we discuss what it is, plus go into more detail about the sources of data risks retailers can’t ignore.
Don’t Discount These 3 Sources of Data Risk
When it comes to security, it's better to answer difficult questions about data before something bad happens. Questions like: Are you classifying what’s being collected, where is the data being stored, and who has access to it?
Here’s why retailers need to be able to answer “yes” to all of the above.
Unclassified data means you do not know your risks
Different data needs different protection measures. Some data, like Social Security numbers, reveal a person's identity and are considered higher risk. Other data, like a first name by itself, probably won’t reveal much about an individual and therefore creates little real risk.
To keep high-risk data secure, you need to limit who can access it and apply obfuscation techniques, like encryption, where necessary. You might also want to turn on logging for data stores that contain this kind of data to monitor when someone makes changes to the data within. With lower-risk data, you probably don’t need to apply such stringent methods.
Sorting high-risk data from data that is lower risk is getting more critical and challenging. This is because of the growth in e-commerce, which has led to transactions occurring not just in physical stores but also on the web and mobile. With more ways for retailers to collect larger volumes of data (Walmart processes 2.5 petabytes of data every hour), this data is more varied than ever. A retailer might collect customer data from channels ranging from email campaigns and live chats to social media interactions and in-store rewards programs.
The result is a classification crisis. Only 23% of retailers say they can classify all of their data. This dramatically raises the likelihood that personally identifiable information (PII) will end up exposed and unprotected somewhere online.
If retailers don’t know where data lives, they can’t protect it
With customer PII generated and stored across the data ecosystem, retailers may not always have consistent protections applied to all their data stores. For example, an unprotected server with customer PII could be compromised and infected with ransomware.
This situation is increasingly common. Retailers are spinning up more poorly secured cloud instances than ever, and visibility into where data is stored is declining as a result. Last year, less than half (46%) of retailers said they had complete knowledge or were very confident they knew where their data was stored.
Besides cybercriminals, regulators are also paying attention to these kinds of retail data risks. An H&M subsidiary faced one of the largest GDPR penalties for allowing data exposure.
Although being compliant with standards like the PCI DSS influences whether or not a company can defend itself in the event of a cyber attack, an investigation by Verizon into payment card breaches found that no affected company was fully compliant with PCI DSS. There are many reasons why this may happen; one of them is that compliance is treated as a once-off event rather than a continuous monitoring effort.
Permissive uncontrolled access to data increases insider risks
Human error drives the majority of cyber attacks. And retail has a particularly high likelihood of human factor cyber attacks.
Retail work can be high-stress, (relatively) low pay, and high turnover. The result is that insider threats, whether intentional, negligent, or catalyzed through social engineering, are a real risk to retailers.
In the cloud, this problem is especially acute. One study showed that up to 99% of cloud identities are too permissive. This provides not only entryways for insider threat actors into sensitive data stores but also creates paths for lateral movement that external threat actors can take.
With cloud environments making the perimeter harder to define, the solution is to shut the doors inside the house. Retailers need to move towards zero trust, where only those who need access to customer data get it. This requires a continuous approach to access management.
Continuous Compliance and Security for Retailers
Sensitive information such as credentials, PII, and payment card information are highly targeted by threat actors and are often exposed in unsecured public and hybrid cloud environments. Stale and ghost data, including former customer data and expired credit card information, add to this risk.
Even when you put in place processes and rules to monitor and secure this data and meet compliance standards, risks will still evolve as your data throughput scales. The only sustainable response to these challenges is a system that improves your understanding of data.
Cyera delivers context to data that helps retailers understand and minimize their data attack surface. With Cyera, security teams can continuously scan their organization's data to find, classify, and contextualize sensitive information (such as misplaced PCI data).
Learn how Cyera can help you gain visibility and minimize risks associated with your customer data by scheduling a demo today.
