Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10/9/2014
11:00 AM
Dan Ross
Dan Ross
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Retail Can Win Back Consumer Trust

Customer loyalty to their favorite brands is all about trust, which today has everything to do with security and privacy.

As more retail chains become easy pickings for cybercriminals, brand managers are finally becoming appropriately concerned about endpoint security. It’s taken these highly visible and widespread attacks by malicious actors to serve as the wake-up call to executives who have been slow to see cybersecurity as a core responsibility.

I’m sure you are familiar with the headlines:

  • After Target’s infamous security breach in 2013, CEO Gregg Steinhafel resigned in the aftermath, underscoring the new reality that data breaches have far-reaching consequences for companies and their brands.
  • The supermarket chain SuperValu (at least 180 stores affected) and UPS (51 stores) recently disclosed information about a related data breach after Homeland Security and the Secret Service issued a warning that more than 1,000 American businesses have likely been affected by “Backoff."
  • In a potentially related case, Home Depot recently acknowledged that a major breach of its POS systems dating as far back April has allowed an estimated 56 million credit card numbers to be compromised. The full extent and origins of the damage remain to be seen, but it is likely the largest breach to date.
  • In the most recent news, the JP Morgan Chase breach compromised the accounts of 76 million households as well as those of seven million small businesses, making it one of the biggest security breaches to date.

These breaches are rising rapidly. Ponemon Institute’s 2014 Cost of Data Breach report, for example, found that the average abnormal customer churn rate after a breach rose 15% over last year. This highlights the public’s growing concern over the security and privacy of information, and underscores a need for companies to secure their infrastructure in order to protect their reputation over the long term.

Even for beloved brands like Target, the impact is significant. Target reported in February that its fourth-quarter profit had fallen 46 percent, after the holiday season breach scared off customers. The retail giant’s total breach-related expenses have reached $235 million so far; some analysts initially feared the fallout could reach $1 billion. Other factors influence stock price, but I’m certain we will see more instances of breaches being a tipping point or last straw for companies that were already vulnerable. 

Security + Privacy = Trust
Consumer loyalty to brands is all about trust, which today has everything to do with security and privacy. When consumers feel that this trust has been broken, brands will suffer long-term consequences.

I can’t say it enough: prevention and detection are both critical to security. Let’s face it, the bad guys are already inside. Taking preventative measures keeps networks under better control and eases recovery and remediation efforts. Security leaders should never assume that intruders are not able to get in. Brands need to invest in better security detection and prevention solutions that will help avoid a similar breach in the future. They should also let the consumers know that they are investing and taking these measures.

Shortening the time from attack to detection is the absolute number one key to mitigating damage to a brand’s reputation, bottom line, and customers. As consumers become more disgruntled and more educated about these breaches, expectations will shift. Discovering malware months after initial intrusion will be seen as negligence and/or incompetence in the court of public opinion. Until recently, the average consumer may have regarded such breaches as inevitable and experienced only minor inconvenience. As breach notifications increase, concerns about identity theft mount and consumer patience erodes. Likewise, government leaders, legal advocates, and credit card companies have begun to push back on retailers.

A unified, system-wide view of security enhances information sharing between IT and the executive suite. Cross-functional teams must be allowed to communicate risks effectively with the help of real-time factual reports, and awareness of these risks must spread beyond the walls of the IT and security departments. Open and trusted lines of communication may be one of the most effective ways to close the intrusion-to-detection dwell time, as Target learned the hard way when an employee complaint on Gawker.com triggered a very public discussion about corporate culture and the company’s failure to heed internal warnings leading to the breach.

Ultimately brand and reputation become synonymous in the eyes of customers and the market as a whole. In order for organizations to rebuild or even maintain trust, they need to recognize that a breach in this day and age is inevitable and therefore your brand’s reputation will depend on how you deal with it.

With more than 30 years of successful entrepreneurial leadership and management experience, Dan Ross is responsible for strategic direction and day-to-day global management at Promisec. Promisec is a pioneer in endpoint visibility and remediation, empowering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 10:17:31 AM
Begin with the end in mind
With the velocity of data breaches in the headlines these days, it's easy to get caught up in the whats, whys, wherefores and finger-pointing. But the bottom line is that when a company's data is breached, their reputation is on the line and it's in their best interest to be as transparent as possible with customers and the general public. Thanks for reminding us of that Dan, and for threading trust and reputation through the security needle. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.
CVE-2015-7892
PUBLISHED: 2019-12-09
Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in the Samsung m2m1shot driver framework, as used in Samsung S6 Edge, allows local users to have unspecified impact via a large data.buf_out.num_planes value in an ioctl call.
CVE-2015-0841
PUBLISHED: 2019-12-09
Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line.