Prior to the Covid-19 pandemic, most retailers treated omnichannel options as add-ons to their brick-and-mortar storefronts. Then the coronavirus—and the subsequent anxiety around shopping in stores—made home delivery; buy online, pick up in-store; and curbside pickup options a necessity.
Buy online, pickup in-store (BOPIS) transactions increased by 208% in April 2020 compared to April 2019, according to a May 2020 Adobe report. Adobe predicted in a March report that e-commerce spending will reach between $850 billion and $930 billion this year.
With retailers relying more on omnichannel services, loss prevention teams are becoming concerned cybersecurity threats and are increasingly collaborating with cybersecurity teams, according to a recent National Retail Federation survey. Per the NRF, 76% of loss prevention professionals said cybersecurity-related incidents have become somewhat more or much more of a priority of their organization over the past five years.
Cybersecurity Threats and Fraud
It’s not uncommon for teams to operate in silos where they don’t communicate with one another, says Yale Fox, a cybersecurity consultant and Institute of Electrical and Electronics Engineers. Organizations need to conduct periodic training sessions with employees to prepare them for evolving cybersecurity threats, he says.
Fraud comes in many forms. One common example is a fraudster purchasing an iPhone, removing the iPhone from the packaging, placing something that weighs similar to an iPhone into the packaging, and returning the re-shrink-wrapped package for a refund, Fox says. A cybersecurity element in this kind of fraud comes when the bad actor purchases stolen payment card data and user personal information from online criminal marketplaces to makes illicit purchases.
Fraudsters who attack retailers now typically provide false information and trick employees into taking action, which is why employee education on how to spot suspicious activity is critical, Fox says.
Areas of Collaboration
In the past, retailers’ cybersecurity staff were part of their IT department, whereas loss prevention professionals tended to have law enforcement backgrounds and worked primarily in stores, says Christian Beckner, vice president of retail technology and cybersecurity for NRF. E-commerce has become the next frontier for cybercriminals in part because retailers have improved the security of point-of-sale systems, which has made it harder to execute cyberattacks in-store, Beckner says.
“There’s a realization that the different parts of the organization have to work together, they have to have that shared perspective on risk and find ways to coordinate on things, like investigation and incident response, have a common plan for technology development to support security—all those types of things are ways in which their walls have converged,” Becker says.
City Hive, an e-commerce platform for alcohol retailers, has conducted calls with retailers’ loss prevention and cybersecurity teams during incident debriefs to assess what went wrong, what the store could have done differently, and what the platform could have done differently, says Roi Kliper, co-founder and CEO of City Hive. The company works alongside retailers to determine where cybersecurity threats are and how to prevent them in the future, he says.
Echoing Fox, Beckner also noted theft of consumers’ personal information from retailers remains a problem, as well as email compromising attacks, ransomware attacks and a range of other threats. At City Hive, the platform primarily sees credit card fraud, usually involving a bad actor who takes someone’s physical credit card or uses stolen credit card information to make a purchase online, Kliper says.
Retailers Need to Address Security
Though retailers are battling cybersecurity breaches, they also can be ambivalent regarding whether to invest more retailers into cybersecurity defenses. Half of the respondents said their companies are devoting resources toward loss prevention equipment, according to the NRF.
Though big-box retailers take cybersecurity concerns seriously, they tend to view cybersecurity measures as a cost without an immediate benefit like spending money on ads to drive sales, Fox says. Not to mention that data breaches don’t appear to affect companies’ long-term stock price, he adds. (Research from IOActive suggests that the impact of data breaches on companies’ stock prices is mixed.)
However, while cybersecurity breaches may not have a long-term impact on their stock value, failing to address these issues could be detrimental to their brand reputation and add to their expenses, Beckner says. In addition to consumers questioning retailers’ commitment to cybersecurity, they must also contend with the costs of cyber insurance and losing sales if their systems are down, he adds.
“For the most part, in terms of the members and companies we engage with, companies are taking this seriously because they know that this is a critical risk and critical set of issues that they need to address, even up to the senior leadership of a company,” Beckner says. “At this point, I think everybody knows—maybe, not everybody knows what to do but everybody knows that cybersecurity is something you need to take seriously and address.”
Source: www.darkreading.com