At least 61% of retailers were the victim of some type of cyberattack between late 2018 and late 2019, according to data from the Ponemon Institute. However, only half of retailers said they had a plan in place to respond to data breaches. In 2018, IT governance group ISACA reported that 42% of organizations lacked a cybersecurity culture plan.
These figures are discouraging for several reasons.
First, companies without a response plan or a strong cybersecurity culture are more likely to face costly GDPR penalties if a breach exposes the data of their EU-based customers. Second, a company without a plan is a vulnerable company. Fraudsters and cybercriminals trade tips on easy targets, so any retailer with known vulnerabilities may be hit with more than one attack. And third, data breaches – along with ransomware attacks and wire fraud committed through email attacks – can quickly destroy a small business by blocking access to data, breaking customer trust or causing the business to run out of funds.
To reduce these risks, retailers must build cybersecurity into their company culture.
A cybersecure culture comes from the top
Just like any other culture initiative, the drive for a more cybersecure organization must come from the C suite. It's up to the company's leadership to make cybersecurity a priority and a daily practice. Leaders are responsible for developing a plan that sets expectations for employee training, behaviors and best practices related to security.
Then, it's up to leaders to implement that plan and model the behavior they expect from the rest of the organization.
Start with the basics
Because there are so many ways that hackers and fraudsters can go after companies, deciding where to start implementing a more secure culture can be a challenge. Remember that cybercriminals like easy wins, so closing basic security gaps first will go a long way.
Weak passwords are easy for criminals to figure out or guess. Lists of the most popular bad passwords make the news every year, and it's disappointing how little they change from one year to the next. Even complex passwords can become a liability if they're used by an employee for more than one account. For example, if an employee uses the same password for their business email account and their Facebook account, their business email becomes vulnerable if their Facebook credentials are stolen.
With access to an employee's business email, thieves can lurk in an inbox, impersonate the employee and intercept sensitive data. If the employee is in payroll, accounting or the CFO's office, a compromised email account can lead to unauthorized funds transfers or rerouted direct deposits.
Better password policies can reduce these risks. A strong cybersecurity culture will include guidelines for creating strong passwords that are hard to crack. It will also include requirements that each employee's work-related passwords must be unique – not used for any other business or personal account.
Training and awareness
Phishing is still a problem for retailers and other organizations. In January, the UPS Store chain notified customers that some of its stores' email accounts had been compromised by a phishing scheme. Customers frequently email documents to the UPS Store for printing, and the chain said the personal and financial data in some of those documents was exposed.
Beyond data theft, phishing attacks can also lead to carefully targeted business email compromise scams, which have cost companies $26 billion over the past three years. For example, a fraud ring might impersonate the email address of a company's financial head to send a spear-phishing email to his or her assistant, asking for a wire transfer to a "vendor" to resolve a last-minute crisis of some sort.
And phishing can also lead to ransomware attacks that lock companies out of their own databases, cause business interruptions and cost a small fortune in ransoms and remediation. Ransomware attacks rose by 41% from 2018 to 2019.
Regular education and training sessions can encourage employees to be cautious about clicking links in emails that can kick-start a phishing attack. Training can also set the expectation that employees will verify urgent requests from higher-ups by voice call or in-person before sharing personal data via email or initiating a funds transfer.
Patches and updates
Keeping software up to date and patched is one of the most basic cybersecurity best practices, but many organizations fall short. For example, software that went unpatched for months led to the huge Equifax breach of US consumers' personal and financial data in 2017. Making time for updates and patches should be part of every organization's cybersecurity culture plan. If that maintenance is routinely postponed to avoid interrupting work, it's time to reframe it as something that can prevent longer, costlier business interruptions.
Every organization needs a plan for what to do after a data breach or other cybersecurity incident. This should outline immediate steps to be taken, such as who to alert in-house, which outside agencies and parties to notify, what to do with affected equipment and systems, and any other reporting and legal requirements.
Planning ahead can make a breach response less chaotic and more efficient. It can also help your organization avoid penalties for delayed reporting. For example, while the new CCPA law doesn't impose reporting requirements for data breaches, GDPR sets a time limit of 72 hours to report personal data loss after a breach is discovered. Without a plan in place, it's unlikely that most businesses could make that deadline.
With the cybersecurity basics baked into your company culture, you can move on to the bigger picture: an organization where everyone has a part to play and your IT and security people work with other teams to foster better security habits.
Show employees the big picture
It's one thing to tell customer sales representatives not to click on links in emails from strangers. It's another to explain that they're on the front lines of keeping phishing attacks out of your company's email system. That understanding can motivate employees to be more aware of security issues, but only 34% of the employees in ISACA's 2018 survey said they understood their role in their organization's cybersecurity culture.
Emphasize the role of IT
A company with a strong cybersecurity culture won't let its IT team stay in a silo. Security considerations should be a part of all decisions, and IT subject matter experts should be available to lead trainings and answer questions from employees.
Reward people for cybersecurity wins
When everyone understands they're part of a companywide effort to beat back fraudsters and hackers, positive reinforcement can help the new mindset stick. Think of the signs in manufacturing plants that emphasize physical safety by showing the number of days without an accident. You can take the same approach, let your people know how long you've gone without a cyber incident and see how long you can keep the streak going.
Consider rewards and recognition for employees who spot phishing scams, patch software quickly and change their passwords to be unique and more secure. Once best practices are in place, you may also want to implement retraining or privilege changes for employees who repeatedly make cybersecurity mistakes.
Keep learning about cyber risks
Like any other type of criminal, cybercriminals are always looking for new weaknesses to exploit. That means the details of your company's best practices, training and planning will always be evolving to protect against new threats.
When your company's leadership commits to cybersecurity best practices, shows everyone they have a part to play and celebrates security wins, you're on your way to a stronger company that's a less appealing target for cybercriminals.