Customer Data Security in Retail

avatar
Agnieszka Twardosz
Customer Data Security in Retail

Retail businesses increasingly realize that they need customer data to provide an excellent level of service. As they gather more and more information on consumers, they find themselves able to improve their offering through powerful personalization. However, handling the data of vast groups of people comes at a price – companies need to keep it safe and ensure customers’ privacy or risk a major crisis.

Big data security has become a significant challenge for the retail sector as databases grow larger, and crucial employees have been pushed to work remotely without receiving sufficient training. Let’s look at the relationship between business and data and the current state of security in retail.

Retail loves data

Customer data management has become an essential aspect of running the business for all big players in the retail sector. We’ve already written about it on our blog – information can be a tremendous asset. Personalization at scale can increase total sales, loyalty, share-of-wallet, and customer engagement and decrease marketing and sales costs.

Retailers use customer data to make strategic decisions, prepare personalized offers, manage customer relationships, and learn as much as possible about their target groups. Some companies have even managed to get to know too much, as in the famous case of Target, which supposedly used a teenage girl’s shopping pattern to deduce that she was pregnant before her parents could find out.

The amounts of information that the largest retailers collect and process are immense. Walmart is estimated to be going through 2.5 petabytes of data per hour, while Kroger claims to hold data on 60 million American households. At this point, influential companies in the retail industry no longer see data exclusively as a way to make their customers open up their wallets. Some of them use their direct relationships with millions of shoppers as a means of generating additional income. However, there have been more benevolent use cases as well – for instance, Costco selectively informed all potentially affected customers about possible Listeria contamination in fruit. Their database also helped identify the source of a 2010 salmonella outbreak.

Back to business applications: Kroger acquired a data intelligence subsidiary 84.51° and now uses its enormous data collection to assist brands in positioning their products. Walmart CEO Doug McMillon seems to be thinking about going in a similar direction, having said the following in an interview: “Data is obviously really valuable. We’ve got a history of giving our data away to suppliers and doing that so that we could get in stock. That’s obviously really important, and some portions of our data will continue to be free because we need their help serving our mutual customers. But there are other aspects of our data that are really valuable and can be put to work in ways that we haven't before. The concept of building products, digital products that we can use internally and also monetize outside, is a really exciting prospect”.

While some of the most complex data-based strategies may only be available to industry leaders, it seems that a smart approach to data analytics is slowly becoming a requirement in the retail sector. The process is well on its way, and it seems unlikely that it should stop, with global big data analytics in retail market size predicted to grow four times between 2019 and 2027.

Customers demand personalization… and much more

Businesses wanting to increase their earning potential is not the only reason behind data’s growing importance. There is also the sustained customer demand for personalization. Most of us have gotten accustomed to businesses calling us by our names and serving us with offers that are somewhat adapted to our preferences. The numbers say it all – about 62% of consumers say that it’s important for them that brands personalize their retail experience, with the figure rising to nearly 81% for individuals from high-income households. 58% of smartphone users feel better about companies whose mobile websites or apps remember who they are and their past behaviors, despite many people believing that companies “are spying on them,” which looks as if they view data collection negatively.

However, people are also increasingly concerned about privacy and the security of their data. Before the 2020 holiday season, 66% of consumers in the US said they were concerned about potential data breaches, and 78% said they would try to avoid shopping with retailers who had suffered a breach. About half of consumers think that retailers should make respecting their anonymity a higher priority, with the US leading the way and surveyed EU countries reporting lower interest, probably due to the public being conscious of the existence of ambitious data protection laws such as GDPR. A sense of insecurity can seriously hinder the adoption of new shopping habits. About one-third of respondents said they would abstain from making purchases through voice-enabled devices like Google Home because they have no security features.

Is there a way for businesses to keep personalizing their offerings without storing and processing customer data? It seems that technological developments are coming to the rescue. One of the solutions to this security conundrum might be Edge AI, a rapidly developing set of technologies that make it possible to run complex business operations without external data processing. A good example is JedAI, a solution created by one of our Partners, Anagog

The technology allows companies to design personalized interaction scenarios that will only trigger if the user and their real-time behavior match a predefined segment based on individual characteristics and so-called micro-moments: for example, a busy professional who is still at the office after standard working hours may get an offer of a dinner delivery. The JedAI suite achieves a higher-than-before level of content customization without the users’ data ever leaving their smartphones. This might be the key to success, especially considering what is soon going to happen to third-party data users as a consequence of Google’s new approach to cookies.

All this means that consumers can receive offers that are better suited to their needs, and companies avoid the hassle of storing and securing customer data – not to mention worrying about GDPR. In the words of Ofer Tziperman, Anagog CEO: “With the constant attempts to hack highly sensitive cloud computers and on-premise mainframes, the new Edge computing is emerging as a solution. We believe that the best way to secure personal data is not to collect it at all. Edge AI is the new way to process data in the mobile phone in a fully distributed architecture that makes it practically impossible to hack a mass amount of individual data. Anagog is leading the Edge AI revolution.” Will this technology be universally adopted? If it happens, companies may finally be able to delight customers with personalized products and services without putting their personal data at risk.

Cyberattacks on the rise

2020 was a terrible year in many regards, and one of them is cybersecurity. Malware increased by 358% and ransomware by 435%. In January of 2021, Google registered 27% more phishing sites than the year before. Hackers’ appetite is growing, and retailers are one of the most affected groups, regularly suffering from diverse threats such as web application attacks, fraud, DDoS (denial of service), phishing, API attacks, and client-side attacks.

Some attacks will “only” make accessing a business’s services temporarily impossible, but some will result in a leak of sensitive, personally identifiable customer information. In 2020, there was a 48% decline in publicly reported data breach events, and they formed a minority of cyber attacks in general.

However, while there were fewer attacks, they were also more hurtful to those that did get hit. The total number of records compromised in 2020 was 141% greater than in 2019, and breach severity kept rising quarter after quarter throughout 2020. Retail was the 7th most affected industry out of 20, with companies from the sector suffering 248 breaches.

Mature companies have been conscious of cyber dangers for several decades. Still, with e-commerce gaining importance and increased work-from-home, the situation has never been as serious. In Europe and the Middle East, 28% of companies report that they feel they’re at a greater cyber attack risk than pre-pandemic. The most important lesson we can learn from 2020 in terms of cybersecurity is that it cannot be ignored or taken lightly – especially because the consequences of suffering a breach are becoming increasingly severe.

Consequences of a breach

When it comes to regular crimes, the affected party usually receives support and consolation, while the society’s anger concentrates on the perpetrator. However, that is not always the case for cybercrime – the movement against victim-blaming has not reached the field of data security. On the contrary – if you collect information on your customers, you are seen as solely responsible for keeping it safe. A failure to do so results in severe consequences.

IBM identifies four main cost centers of a data breach:

  • Detection and escalation,

  • Lost business,

  • Notification,

  • Ex-post response.

According to their report, the average cost of a data breach in 2020 was $3.68 million, and it took a company 280 days to identify and contain it. While that amount is skewed by the US, where it reaches more than $8 million, it is a decent approximation for the European Union – the average cost of a data breach for EU countries and regions included in the report ranged from $2.5 million in Scandinavia to $4.45 million in France.

In the retail industry, the financial cost of a breach in 2020 was about half as severe as the average figure. However, it rose by 9.2% between 2019 and 2020, signaling that the financial consequences suffered by retailers may be catching up with other sectors.

A major data breach covered by news outlets may result in severe damage to company reputation. After the infamous Target incident from 2013, the brand took a hit that saw its Brand Index rating of consumer perception more than halve in just one year. Retail is overall seen as the most trusted industry. However, millennials are less likely than older consumers to shop with a brand after it suffers a data breach, and this generation will increasingly wield more purchasing power.

GDPR is an important factor to have in mind for retailers who operate in the European Union. Depending on the severity of data mismanagement, a company can be fined on two levels:

  • up to €10 million or 2% of the company’s global annual turnover

  • up to €20 million or 4% of the company’s global annual turnover.

All in all, data breaches are best to be avoided – which explains why organizations spend an average of 11% of their IT budget on security, and investments in advanced technologies from this sector keep growing.

Data security in 2021 and forward

The global cybersecurity market is predicted to grow by 12.5% year-on-year, reaching $403 billion by 2027. Its rapid development comes to no surprise as companies scramble to keep their databases safe and find an appropriate balance between security and performance. With an acute shortage of cybersecurity experts available on the market, many businesses decide to join forces with specialized partners.

Even the best security specialist won’t help, though, if your employees are not trained in handling sensitive information and cybercrime awareness. In 2021, cybersecurity requires a two-fledged approach where neither technology nor the human factor can fail.

Cybersecurity solutions

At Future Mind, we’re proud to maintain a close business relationship with Cloudflare, one of the top providers of web security services worldwide. As our Partner, they support us in guaranteeing the software that we produce for our Clients is safe from outside threats.

Thanks to its wide range of digital products, Cloudflare prevents data breaches with a holistic approach that strikes the right balance between security and performance. Their services include protection against common data breach types such as DNS spoofing, snooping of data-in-transit, brute force login attempts, malicious payload exploits.

The competition in the cybersecurity industry is fierce and dynamic, and any business is sure to find several companies they can entrust with their web safety. In our case, we appreciate our Partner keeping up to date with the most recent threats, which allows us to maintain the highest security level for our Clients.

As the world of cybersecurity changes, Cloudflare adapts – the company has been named the innovation leader in holistic web protection and received a Gartner Peer Insights Customers' Choice Distinction for the innovations introduced to their Web Application Firewall. 

Cybersecurity training for employees

Most of us used to associate cyberattacks with a group of skillful hackers typing away in a basement, trying to earn a living or gain fame, somewhere in a remote, lawless country. That vision is not congruent with current reality, though. These days, cybersecurity experts are mainly concerned with internal threats to company data: deliberate employee misbehavior, such as data theft, and employee mistakes, such as accidental improper sharing of data or falling prey to phishing attacks.

Such internal or employee-enabled data breaches are more common than external threats and harder to detect. Since organizations went remote, 48% have experienced phishing attacks, 27% accidental mistakes by administrators, and 26% accidental improper sharing of data by employees, with these three being the most common forms of attacks. The most challenging type of attack to detect was data theft, which has been experienced by 14% of companies. In more than one in four cases, it took businesses at least a week to detect it.

Those figures should come as no surprise. 86% of Chief Information Security Officers admit that they sacrificed security to quickly enable a remote work mode, and it’s difficult to blame them – we all remember the initial chaos of the COVID-19 pandemic. However, we have now been in this situation for an entire year and are all relatively accustomed to the new normal – the time has come to invest in security awareness training for employees.

According to a report, 28% of employees are less than confident that they could identify a phishing email, with the figure rising to 59% for social engineering attacks. 43% of employees do not realize that clicking a suspicious link or opening an unknown attachment in an email may cause a malware infection. Meanwhile, 14% think that malware can infect their device through physical proximity to another infected device.

Such statistics may seem unbelievable or downright funny to a digital native, but they prove that cybersecurity training is necessary and should be a priority – especially for retailers, given that they’re likely to hire a significant number of non-technical staff. Fortunately for the sector’s future, businesses seem to be warming up to the idea. In the US, 57% of retailers state that improving cybersecurity is their top priority in digital transformation endeavors. We hope that the situation will keep improving so that consumers can feel safe when entrusting their private data to retail companies.

Authors

avatar

Agnieszka Twardosz

blog comments powered by Disqus
11 min. read
50%

More to discover

avatar

Future Mind’s Partnerships: Ecosystem of Verified Vendors

Learn how our vast ecosystem of verified Partners works to your advantage as we collaborate to enhance your company’s position in the digital space.
4 min. read
avatar
Agnieszka Twardosz

Future Mind joins Pangea as a top 7% technology company

We’re proud to announce that Future Mind is now a part of Pangea – a curated platform composed of the top 7% of software and technology companies.
4 min. read

Is there anything we can do for you?

We use cookies to enhance your experience. Read more about cookies in our privacy policy. Agree