Driven by COVID, Australians are shopping online more than ever. The latest data from the NAB Online Retail Sales Index reveals that in the 12 months to August, Australians spent A$39.2 billion on online retail, a level that is around 11.5 percent of the total retail trade estimate and about 33.6 percent higher than the 12 months to August 2019.
While this is good news for retailers, the increase in online customers also means the increased risk of cyberattacks. Cunning cyber attackers are looking to take advantage of the traditional bricks and mortar retailers that rushed to launch e-commerce platforms at the start of COVID-19 lockdowns and may have treated security as an afterthought.
With the massive uptick of online business, retailers are now responsible for a lot more data records and transactional details than before. As a result, retailers should be aware their responsibilities for protecting this data and of the potential fines from the Office of the Australian Information Commissioner if they fail to adhere to the notifiable data breach legislation.
With this in mind, cybersecurity is more important than ever in retail. Traditional bricks and mortar stores put security guards at the front of the store and the electronic tags on their stock to protect against theft. In the same way they are protecting their physical assets, retailers need to implement effective measures to protect their online assets – including their customers. Here are three ways retailers can ensure their websites are secure and their customer data is protected.
Invest in a reputable payment platform
At Sophos, we’ve seen a lot of cyberattacks targeting websites with shared payment gateways involving the information theft or redirection of funds during the processing of customer transactions.
Although money can be tight for a small business retailer, I would suggest to them: resist the urge to do it yourself. There are a lot of cheaper operators out there that are an alternative to the major merchants and will process payments for cents in the dollar. But it’s these types of outfits that may not have the same level of security controls as the bigger payment providers. My advice to retailers is to make sure you understand how transactions are processed and who they are processed through.
Be transparent with customers about cyber threats
Come Christmas and other peak sales periods, there’s always a significant rise in phishing campaigns that target individuals and organisations via methods such as fake pop-ups asking consumers to register for “discounts”.
To avoid customers getting defrauded online, communication is key. Establishing a good trusted relationship with customers based on transparency is critical. Retailers should establish a line of communication outside of email with their customers. If a business is being impersonated, social media feeds can be useful to update customers and let them know the business is being impersonated and customers are being scammed with sophisticated phishing campaigns. In doing so, retailers must be sure to have their social media accounts validated (the Twitter ‘blue tick’ as an example) to ensure customers can differentiate between the legitimate business and the fraudsters.
Retailers such as JB Hi-Fi, Target and Kmart, for example, are constantly publishing information on their websites and social media feeds to update customers when there are imposters out there pretending to be them to scam unsuspecting victims.
Know where your data is stored
When running a business that has shifted online, it is critical to know and understand where customers’ information is stored. Are you collecting it? Is it sitting on a laptop or in the cloud? If it’s in the cloud, who is the cloud provider? How does it share and secure information that’s within its cloud? Reading the terms of service for your cloud provider is essential.
If using online third-party services to sell goods and services, retailers should make sure they’re as secure as possible. A username and password to access those services is not good enough, there must also be multi-factor authentication.
A key issue is there’s currently no governing body to provide guidance to the retail industry on how to treat customer information and what retailers should be doing at an absolute minimum level to effectively secure infrastructure. This lack of governance on how to mitigate threats means retailers must take proactive steps to ensure they remain cyber secure.
It starts with being aware of where data is stored, how it is processed and who’s managing it. Moreover, retailers have a legal and ethical obligation to be transparent with customers on how their personally identifiable information is being stored and the measures being taken to ensure their data is secure. But beyond this, retailers also have a duty to customers to ensure they are trained to understand how to look out for cyber threats such as phishing campaigns.
Aaron Bugal is global solutions engineer at Sophos