NTT Security has released the results of a survey asking shoppers what they expected from online retailers. The majority 80% said that more transparency and honesty when a security breach took place was essential. However, a security breach would not stop a third of people continuing to shop with a online retailer.
The report comes ahead of the madness that is Black Friday and Cyber Monday. This year, some retailers are extending the four day online shopping spree to two weeks. Shoppers are expected to break last years sales record. This means there will be plenty of opportunity for cyber criminals to steal payment data.
According to Stuart Reed, Director at NTT Security: “The retail sector is among one of the most targeted industries for attacks and, with one of the busiest trading periods of the year now upon us, it makes sense that both consumers and retailers are diligent in terms of data security. While some shoppers are happy to continue using sites, even when they have been breached, they are also anxious for retailers to let customers know when they have been hacked.”
Shoppers ready to forgive retailers
The willingness of more than 30% of those surveyed to continue shopping with a breach retailer is a surprise. Some of the respondents were even willing to change their passwords post breach even if not prompted by the retailer. Why they would need prompting is anyone’s guess. Ironically there were a number of respondents who felt that retailers should insist on stronger passwords to start with and force users to change them regularly.
This is an interesting response. The perceived wisdom in IT security is that if you force regular password changes a lot of casual users will stop using the site. Even the requirement for stronger passwords will reduce the number of users. As a result, retailers are often among the poorest when it comes to password and online security.
Shoppers also want online retailers to use secure payment systems. The majority already do this. The problem is when data is saved on the retailers site and how they protect it. Data encryption is beginning to become the accepted norm but does not mean that it is always good enough. Many sites use simplistic encryption or even older mechanisms that are known to be flawed.
Privacy a serious concern
The issue of how much data is kept by retailers is a long standing problem. The retail industry has always sought to capture customer data in order to refine their marketing campaigns. The problem is that the data is often not kept securely and in many cases rarely reviewed to see if it is relevant. There is an increasing amount of privacy legislation coming into force such as the EU GDPR. Smaller retailers who suffer a privacy breach could see fines that would threaten the survival of their business.
One surprise in this report is that 40% of respondents want privacy policies published online. What they want is customers to be able to see how data is handled and stored. It is already a requirement for privacy policies to be published online. This level of response shows that either websites are not complying to the laws in different countries or users find it hard to locate privacy policies.
Sites that do hold privacy data are also required to publish details of their Data Controller and how to contact them. This is an area where many sites do badly. It can be extremely hard to find out who is responsible inside an organisation and how to contact them. Surprisingly this is something that was not an issue in this survey.
Reed says: “Consumers certainly seem to be growing in security awareness when online; more savvy, they are willing to take responsibility for their own security to some extent, but they are also more demanding of retailers and expect to see privacy and security polices displayed clearly on websites.”
Over the next few weeks it will be open season on online shoppers. There will be security breaches and it will be interesting to see how quickly online retailers deal with them. Retailers need to make sure that they increase their security over this period as the increased number of visitors to their sites will include those with bad intentions.
Reed warns retailers: “Whilst seasonal trading might result in a spike of targeted attacks, it’s important to remember that in a connected, global economy, cyber threats are present 24 hours a day, every day of the year, so it’s crucial that online retailers get the basics right combined with a balanced and well communicated approach to cybersecurity at all times.”