The answer is an unqualified yes. The retail sector is among the most targeted by hackers (competing only with the government and financial services companies), with more than 150 million retail records compromised through cyber attacks since 2009.
The good news is that direct response marketers can take steps now to head off such attacks, and prepare to respond to them when they occur.
Cybercrime is a massive, widespread, and growing phenomenon. There’s little dispute that it is the most dangerous threat to private enterprise today. More than 90 percent of U.S. companies have detected security breaches, and 74 percent acknowledge financial losses as a result. Cybercrime’s annual cost is estimated at approximately $100 billion per year and rising. Incident reports are growing by double-digit percentages every year.
And the threat of cybercrime doesn’t come from a single source—it can arise from theft, revenge-seeking, or error by employees; targeted attacks by competitors; or sophisticated schemes perpetrated by criminal enterprises, terrorists, or hacker groups.
When it does strike, cybercrime can inflict harm on multiple fronts. Risks include the theft of intellectual property and sensitive customer information; costly litigation and regulatory investigations; loss of revenue and productivity; and possible physical harm to employees and the public.
Home Depot revealed in recent weeks that it was hit by one of the largest data breaches in U.S. retail history, affecting some 53 million credit and debit cards. Target, too, experienced a major breach over Thanksgiving weekend last year when hackers stole information on 40 million credit and debit accounts. The retailer teamed with the U.S. Secret Service for a confidential probe, but not before being hit with dozens of lawsuits, including more than 80 from consumers and four from shareholder groups.
In addition to lawsuits, cybercrime can cause less tangible—but for DR marketers, potentially far more costly—losses in consumer trust. A data breach or cyber attack not only risks tarnishing a company’s brand, it may also may affect a company’s valuation and stock price, reveal confidential company information, disrupt critical operations, and cause other damage. Target’s stock price and business operations have been slow to recover since its breach nearly 11 months ago.
An Ounce of PreventionMarketers should have a cybersecurity strategy in place to protect their companies and customers against these risks. That strategy should have two major components: preventative measures to reduce the chance that an attack will succeed, and an action plan in the event of an actual security breach. Each of these components can ultimately save companies millions of dollars.
The preventative component of the strategy should, at minimum, include safeguards relating to the company’s information technology, its operations, its personnel, and its outside vendors and suppliers.
Safeguards on information technology to have in place include firewalls, secure ID verification for remote access, complex passwords that change frequently, routine data backup including company e-mails and Web browser histories, and a robust e-mail and data retention policy. Companies should also keep critical information encrypted, or on closed, offline storage devices.
Risk assessment is a valuable tool that direct response marketers can use to identify internal and external threats and vulnerabilities, assesses the potential damage that could result from an attack, and safeguard operations against cybercrime. Do existing security measures adequately protect your company? How secure are your partners’ and suppliers’ systems? These are questions that a thorough risk assessment will answer.
There are several actions marketers can take to enhance their security through (and from) personnel. To start, the IT department should be staffed with cybercrime-prepared employees who have undergone background checks. All staffers can and should be educated about the risks of cybercrime through training initiatives on the dangers of phishing and other cybersecurity principles. Companies should also make it clear that employees can have no expectation of privacy on company networks; their activities may be disclosed to law enforcement or used in litigation in the case of an attack. Educate and require cybersecurity protocols from vendors, which should also be vetted with background checks, and as with any criminal threat, backstop your prevention effort with a “see something, say something” policy.
Attack and ResponseIn the event of an attack, your company will need a detailed, step-by-step incident response plan it can implement immediately. Identify an employee or group of employees responsible for leading the response plan, which should have clearly defined escalation procedures. Officers, directors, and counsel should be well aware of the development of the response strategy (as they should of preventive measures as well), so they can provide appropriate oversight and input.
When breached, there is much information to gather and communicate in a short time frame. You’ll want to know, for instance, if your corporate insurance policies cover damage or losses. For this function and others, have legal counsel and other key service providers on speed-dial. A sound plan will also call for immediate steps to identify the motive and perpetrator if possible, secure data that hasn’t been compromised, perform a forensic analysis of the attack and the “back doors” it might have exploited, and analyze its impact. When systems are again secure, the company can restore backups and bring systems back online.
At the same time, a spokesperson should be ready with a communications strategy, and corporate officials should be prepared to talk to regulators. Readiness exercises can simulate an actual attack to test and evaluate cyberpreparedness and greatly improve a company’s response, particularly in the immediate aftermath of a breach.
Externally, and perhaps more importantly for direct response marketers, the company needs to establish communications with customers, contract with a call center to handle inquiries, and offer credit monitoring and identification theft insurance to any breach victims.
The significant legal concerns associated with a cyber attack also demand preparation. There will be legal obligations such as state and federal breach notifications and required SEC disclosures (for public companies, SEC guidance says that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky”).
Know what you can legally provide to law enforcement without a warrant, and limit interactions with authorities to specified members of a cyber response team to ensure a coordinated response. Involve legal counsel immediately, and develop a litigation and regulatory strategy to protect your company. You may wish to initiate a lawsuit if you can identify the perpetrator as an insider or competitor. Other actors can be difficult or dangerous to pursue, and litigation may draw unwanted attention to the problem.
Protect your company and its customers by being ready for a cyber attack. While practically invisible, cybercrime is growing to the point where almost every company will be affected—and it can cause your business severe damage when it occurs.
Cybersecurity Planning Checklist
- Detailed, step-by-step incident response plan
- Adequate insurance coverage (consider a cyber policy)
- Legal counsel and other service providers on speed-dial
- Crisis communication and litigation strategies
- Government affairs/communications with regulators
- Readiness exercises that simulate an actual attack
- Business continuity planning
- • Security audits of key vendors