To an extent, evolving buying habits of consumers set the groundwork for retailers to respond to the pandemic. Trends in online shopping over the last decade led even some of the big box stores — the successful ones anyway — to invest more in e-commerce and to scale inventory to meet demand. COVID of course accelerated that mission: a survey by Deloitte found that 88% of c-suite retail executives pointed to digital acceleration as the primary investment priority for 2021.
And yet, the transition to online, combined with management of an unprecedented surge, has left the security teams of retailers to do something of a dance: accommodating customer demands for product and convenience, without neglecting security along the way. This amid customer skepticism: that same Deloitte report noted that only 5% of consumers ranked the retail industry as a top-three industry for data privacy, compared with 63% for banks.
“It comes down to trust,” said Jerry Geisler, the senior vice president and chief information security officer of Walmart’s global information security department. “And that should be an expectation of your customer, and one that you want to meet.”
Walmart, for one, added about 250,000 new associates during the pandemic to support demand — with the identity and access team relying on automation to reduce the onboarding process from one week to one day. And when the company saw a 1,000% increase in utilization of remote access tools by employees, delegated to home offices, the systems were ready thanks to what Geisler called “some smart engineers who thought well ahead.” Having considered various disaster recovery or business-continuing scenarios that might necessitate remote work, they deployed a remote access license, with the ability to maintain the same back-end capacity with four of those licenses connected concurrently, which would be well above anything the retail giant had ever seen in normal day-to-day operations.
Needless to say, that proved critical with COVID.
“When we needed to ramp, we actually had the capacity to allow everything to occur over a weekend, to shift from being in the office to working remotely,” Geisler said. It was one measure already in place thanks to what he called “a proactive approach that allowed us to scale quickly.”
But some impacts of the pandemic were unexpected. Bot mitigation became a major priority, as “enterprising individuals or groups” would try to buy high-demand items like next generation gaming consoles and resell those for a profit.
In its effort to respond, Geisler’s team walked the same fine line that all retailer security teams face: managing the threat, without impeding upon the customer experience. Walmart’s information security team worked across tech, across product, across business operations “to understand the demand signals we were seeing from the consumer, the timing of our inventory drops, and how we could adjust our security layers to slow down that bot traffic while maintaining a positive customer experience."
Walmart is not alone. That balance of security with customer satisfaction came into play with Target’s decision to unite cybersecurity and fraud functions under one operation. The journey kicked off nearly two years ago, said Jodie Kautt, the company’s vice president of cybersecurity, during an interview with SC Media.
“Just as you think of the lines between brick and mortar and online shopping being gone, the same goes for fraud” and cybersecurity, she said, noting that the Secret Service similarly merged their own electric crimes unit with the broader fraud crime unit soon after the retailer did.
“When you think of being intel based — to arrive at the right detection of bad or anomalous behavior, to be able to quickly pivot for detection and response — that gives us a new holistic view of fraud rings and fraud patterns that just wasn’t available with the old transaction-based view of fraud,” Kautt continued. “And it allows us to then think more effectively about where we put those speed bumps, those roadblocks, that friction, where it looks like it's bad or anomalous behavior. And where we reduce those speed bumps or those roadblocks when you can tell it's a good guest."
Indeed, from bot mitigation to fraud detection, retailers are increasingly realigning their cybersecurity capabilities using a zero-trust strategy, said Rob Goldberg, cyber services leader for the retail sector at Deloitte. “Through a combination of architecture, technologies, and processes, retailers are focused on reducing the ease of which adversaries can compromise one part of the environment and move laterally through the rest of the environment to either steal data or plant malware, by treating every part of the environment as untrusted.”
This complements another trend across retailers to deploy consumer identity and access management solutions and capabilities that “enable retailers to centralize the identification, authentication, and access management for customers across channels — web, mobile, store, etc.,” Goldberg added. That creates a more seamless experience for the customer, “while simultaneously improving security with risk-based decision-making tools.”
To ease customer concerns, Deloitte recommends retailers be more transparent about their data strategy, and able to rapidly resolve problems. Both Walmart and Target, for example, include information about security programs online and in annual reports, as well as in the company’s 10-K filing. Education also factors into efforts: Walmart pumps in cyber hygiene tips and best practices into store locations via its radio broadcasts, “encouraging customers to be diligent in protecting their digital persona, even outside of Walmart,” said Geisler, and conducts an executive tabletop exercise for leadership.
As he put it, “you don't want to try to figure these things out in the middle of a crisis.”
This is part of SC Media's special October coverage, in honor of Cybersecurity Awareness Month, spotlighting “security by design”: How different organizations within various verticals recognize their own security practices not only as a necessity, but also as a differentiator. Click here to access all of our security awareness coverage, which will filter out throughout the month.