While it’s nearly impossible for retail organizations to avoid incidents these days, implementing effective security protocols should be a top priority, as consumers become more security-savvy.
Threat actors target the retail sector because shops hold highly coveted information, like financial and purchasing history, that can be further abused in fraud scams. And unlike more regulated sectors such as energy or financial services, that information may not be as tightly protected, especially among small mom-and-pops with fewer resources.
Ransomware activity ramped up against United Kingdom retailers last year and threats to customer data only continue across stores worldwide. Athletic footwear and apparel giant Nike may be the latest victim.
But as attacks escalate and threat actors become more sophisticated, so does the consumer. Eighty-eight percent of consumers “think twice before shopping at retailers that have experienced a cyber attack,” according to a new SOTI report. Twenty-two percent would avoid a retailer altogether after a breach; the rest would take precautions such as avoiding the merchant’s website or social media channels or withholding personal information when shopping.
Researchers emphasized that “security breaches erode trust, causing many [consumers] to avoid affected retailers.” High-profile cyberattacks which regularly emerge “have heightened consumer concerns about data security.”
Companies commonly state in regulatory disclosure filings that they are bolstering security protocols after an attack. But people are left wondering: Why weren’t those implemented sooner?
Growing security vigilance requires a new approach. Employing effective strategies from the start, paired with increased transparency following an incident, may help reclaim some of that trust.
“A Company’s Responsibility”
SOTI data indicates that consumers are factoring their burgeoning cybersecurity awareness into their shopping decisions, says Shash Anand, SVP of product strategy at SOTI. Retail experiences are becoming more digital and mobile – whether that’s shopping online, using contactless checkouts, or self-service kiosks – and consumers are increasingly conscious about how their personal and payment data is handled.
“Thinking twice after a cyberattack reflects a growing expectation that retailers take security seriously as part of the overall customer experience,” Anand says.
Barracuda Networks observed a similar trend where cyber incidents increasingly influence consumer trust and purchasing behavior – particularly as attacks become faster, more disruptive, and more visible, explains Adam Khan, VP of global security operations.
Most consumers will not comprehend the technical intricacies of a cyberattack. However, they increasingly understand outcomes such as identity theft, account takeover, fraud, and privacy exposure, adds Khan. That could be due to increased privacy education or the fact that data breaches affecting an alarming number of individuals continue to emerge.
“Consumers now recognize that cybersecurity is part of a company’s responsibility, similar to product safety or payment security,” Khan says.
Responsibility may be an understatement. As shoppers become more discerning about their digital footprint, the industry’s role is to stay ahead of an inevitable curve.
“We are entering an era where security and customer experience are inseparable,” says Pam Lindemoen, CSO and VP of strategy at the retail and hospitality ISAC.
Take a Transparent Approach
Managing fallout can be dizzying for organizations, but transparency and communication with customers play a pivotal role in regaining trust. Chaos often ensues in the aftermath of an attack, as lawyers, incident response, and forensics teams go into mitigation and recovery mode. While navigating a cyber incident is challenging for organizations, it can also be an opportunity to connect with customers, reveals Lindemoen. Consumers typically respond well to transparency about what happened, an apology, and genuine concern for the privacy of their customers, she adds.
Open and timely communication works to reduce uncertainty and shows consumers that security is being treated as a priority, rather than an afterthought, stresses Anand.
“Retailers that proactively share information and updates tend to rebuild trust more effectively than those that remain silent or vague,” Anand says.
The level of transparency and meaningfulness behind it matters. Transparency that avoids minimizing or obscuring the incident is one key action Khan recommends to help retailers restore confidence in the wake of an attack. “Demonstrating accountability and ownership rather than deflection” is another.
“Cyberattacks are no longer isolated or rare,” Khan warns. “Organizations that respond quickly, transparently, and with accountability are far more likely to preserve customer confidence than those that delay communication or take a purely reactive approach.”
