The modern consumer expects retailers to meet them wherever they are. It’s table stakes. If you’re a retailer, whether you are selling in a marketplace, a live stream, or in the metaverse, adopting and enabling new technologies to meet customers where they are might feel like you’ve solved the problem... but it’s only the beginning. The challenges don’t end with enabling the technology. There are risks that come with embarking on new technology journeys, integrating with new partners, applications, or services.
74% of consumers say they “highly value” data privacy. And 82% of consumers are highly concerned about how their data is collected and used. Consumers have an expectation that you are protecting their data in addition to protecting access to your own data and systems. Toss in regulatory requirements from states, countries, and governing bodies (like the Payment Card Industry), and what was already not so simple increases in complexity.
The good news is that if you plan for security at the beginning, there is a great chance everything will get in place and on plan. A large percentage of projects will fail to get the appropriate security requirements in place if you don’t address them at the beginning, leaving technology and applications more vulnerable.
Making cybersecurity a priority early and often is one part. Let's look at two other areas – (1) identity and Zero Trust and (2) data protection – that are particularly helpful in building a secure ‘customer is the channel’ or ‘omnichannel’ experience.
Credentials are part of a vast majority of security breaches. Protecting those credentials is critical in defending against a threat actor. While using a B2C solution is an obvious advantage, how you build the protection around that solution should be carefully planned. Missing web or network security basics can leave opportunities for credential theft. This goes for your internal resources as well as customers. Having a Zero Trust strategy in place is helpful in securing your entire estate, but is particularly helpful in the realm of identity and access management (IAM).
Zero Trust operates on the principals that everything attempting to gain access is compromised until proven otherwise. When implemented fully, access to resources is given only when needed, for as long as necessary. This moves beyond personal identities. Now, the prevalence of ‘things’ (internet of things: IoT) and application integration plays such a large role.
How we manage that access is shifting as well. Zero Trust is not a single technology one can buy and install. It is a strategy to define and live by. Organizations should have a plan to migrate existing systems into a Zero Trust framework. Then adopt a Zero Trust-first mantra for anything new. Over time, organizations can see increased value through better security and well-defined security requirements for new solutions.
Even if you are a 'cloud-first company’ that leverages the latest software solutions, in most cases, you still own the data. This means you also own the responsibility to protect that data. Until a recent increase in compliance requirements related to data privacy, many organizations did not worry about having a full data protection or data governance program. The idea of a Chief Data Privacy Officer (CDPO) was only for a select group. This is no longer the case today. Now, data protection and data privacy are critical concerns to retailers and consumer goods businesses as well.
With vast amounts of data housed across many technologies – technologies that vary from legacy to next-gen – it can seem like a daunting task to implement data protection. The key to implementing this is to first understand that this is not just a technology solution. Data Loss Prevention (DLP), (sometimes P=Protection), is a technology, yes. It does, however, require significant planning and policy in order to be properly deployed. Once deployed, it cannot be ignored. It will become a living solution that needs to adapt to your business and external requirements.
Retailers need to do more than deploy DLP, they must build and maintain a Data Protection Program. Data classification policies and labeling will define what data needs to be protected and to what degree. These policies will dictate who has access to what and when (another benefit of working with Zero Trust). All of that data must be found and labeled. The technology must be deployed and tuned properly.
Most importantly, the organization (the people) needs to be trained. Not just in how it works, but why it is important, what happens when different warnings occur, what it means for them, and how it impacts the business. There is an element of organizational change management required. For these reasons, DP programs are often rolled out in phases allowing the technology and people to sync.
According to Gartner, 35% of DP / DLP deployments fail. And most of this is due to improper deployment and lack of adoption. By building a program WITH the technology, you prevent this from happening. Finally, understanding the tech and processes must be managed. Staff must be assigned or services must be contracted in order to stay aligned with your compliance and governance programs.
Considering a programmatic approach with security and technology will help smooth your integration into ‘customer-is-the-channel’ scenarios. Avoid ‘turning it on’ without addressing your security and privacy requirements. And if there are areas where skills are lacking, then engage a trusted partner – one who understands the programs and technology required to make your business successful and secure.
Much like trying to fit in security after the fact, trying to ‘DIY-it’ can lead to many more problems. Problems often remain unknown until it is too late (aka breach). If there are questions about what technologies to use, also engage your trusted partners. Leverage their experience and information to make your decisions easier.
There are many advancements today around the way we secure our business. It used to be that we had to piece together different tech – each one only solving a fraction of the problem. But today, we have cloud-first, Zero Trust approaches available on single platforms.
These solutions are not only cost-efficient but also provide interoperability and simplify management. Evaluate what is best for your business and integrate security into those fast-moving technologies to secure your data and keep the trust of your customers.
For more information, reach out to a trusted cybersecurity partner today.
Looking for your next read? Download our Internova Travel Group Case Study!
By: William Klusovsky, Avertium's Chief Security Architect – Connect on LinkedIn
Avertium is a cyber fusion company with a programmatic approach to measurable cyber maturity outcomes. Organizations turn to Avertium for end-to-end cybersecurity solutions that attack the chaos of the cybersecurity landscape with context. By fusing together human expertise and a business-first mindset with the right combination of technology and threat intelligence, Avertium delivers a more comprehensive approach to cybersecurity. That's why over 1,200 mid-market and enterprise-level organizations across 15 industries turn to Avertium when they want to be more efficient, more effective, and more resilient when waging today's cyber war.