Which of these statements is true?
“Customers love when retailers provide them with a better shopping experience. Online, customers value the convenience of buying and shipping merchandise with a few clicks; personalized cross-selling and upselling features seem to read their minds. In stores, customers enjoy generous return policies enabled by retailers’ records of their past transactions.”
“Customers are uneasy about all the data retailers retain about them and their shopping behavior. They’re uncomfortable when businesses remember what they viewed and bought, and they worry about how potential exposures of their data make them vulnerable to pretexting and fraud.”
We live in a world where both of the foregoing statements are true. Retail businesses that have embraced digital transformation to engage and serve customers already know that customer data provides indispensable competitive advantage. Knowing the customers in order to serve them better has never been more important. But so is this: If you’re going to store the data to enable the best customer experience, it’s critical to protect that data and use it appropriately.
One national retailer started using credit card transaction data as an alternative proof of purchase. Soon after, another leading retailer improved on that practice: Customers who have the store’s loyalty card can return merchandise with no receipt, even when they’ve paid in cash. Because its loyalty card uses phone numbers to identify customers, they can return merchandise with their phone numbers alone. But even as customers enjoy the convenience, they worry this data — so willingly provided to a business they trust — may not stay with that business.
Businesses must acknowledge the enormous trust customers have placed in them with regard to their data — and the danger of losing that trust — and manage cyber risk effectively, including continuous improvement of cybersecurity approaches.
Last year, Protiviti joined ESI ThoughtLab, WSJ Pro Cybersecurity and others to launch The Cybersecurity Imperative: Managing Cyber Risks in a World of Rapid Digital Change, a thought-leadership program drawing on global research and expert interviews to highlight where organizations are today on the cybersecurity maturity curve, and which enhancements are most effective where people, processes and technology are concerned. The program’s first report yielded insights that are especially relevant for consumer-based businesses.
The Cybersecurity Imperative study includes a cybersecurity maturity measurement tool based on progress against the five functions of the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework. This tool measures maturity against the following five principal cybersecurity functions:
- Identify: Does the organization know how to manage cybersecurity risk to systems, people, assets, data and capabilities?
- Protect: Has the organization implemented safeguards to ensure delivery of critical services?
- Detect: Does the organization undertake activities to identify the occurrence of a cybersecurity event?
- Respond: Does the organization undertake activities to take action regarding a detected cybersecurity incident?
- Recover: Does the organization undertake appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident?
Enterprises can be classified as beginners, intermediates and leaders in their cybersecurity maturity. About half of the consumer market businesses represented in the study ranked intermediate, with the other half split evenly between beginners and leaders.
Companies ranking as leaders in their cybersecurity maturity are nearly four times more likely than beginners to see cybersecurity as an area of competitive advantage. These leaders are also more likely to invest in cyber resilience – response and recovery – whereas beginners invest mostly in identification, protection and detection. This is important because leaders recognize the inevitability of a cyber attack, but they are well prepared to withstand it by recovering quickly and minimizing damage to themselves and their customers. One can say that recognizing this new reality is another way these mature businesses build trust with their customer bases.
According to the e-book published in conjunction with the Cybersecurity Imperative program, the chances of suffering a successful cyber attack are particularly high for cybersecurity beginners in consumer businesses. A recent Forbes article mentions that retail organizations are frequently reported as the most attacked segment across all industries.
The good news for retailers is that at least one cybersecurity measure is straightforward and relatively affordable: training staff in cybersecurity. According to our survey, 28% of untrained staff would click on a phishing link, but after training, only two percent did. But even though 87% of survey respondents saw untrained staff as a top risk, only 17% reported attainments in cybersecurity training. Cybersecurity is a team sport, and a solid training program is less expensive to implement than any technical solution. It’s easier to update as well.
There is no doubt that understanding your customers, knowing their histories and preferences, and customizing offerings to those preferences is a competitive advantage. No consumer business will give that up to avoid the risks associated with storing and using customer data. To do so would be to introduce a bigger risk: the risk of being left behind.
But the best consumer-facing enterprises, those that enjoy the most trust and loyalty from customers, will be those that strive to protect that asset by implementing and continuously updating the best cybersecurity and cyber resilience practices at their disposal.