The arrival of new data privacy regulations, increased conversations around data security, and personal experiences of privacy issues have made UK consumers more wary about data security practices of the companies they are dealing with.
Consumers are now asking questions about how firms and retailers are storing their personal and financial data and how strong their data security practices are and are making buying decisions based on such factors, a new research from PCI Pal shows.
The study found that a lack of investment in cyber-security or not taking sufficient steps to detect cyber-threats or to respond to them may expose companies to regulatory fines and loss of face and also result in significant financial losses.
While 44 percent of UK consumers said that they will stop dealing with a business or brand for several months if the latter suffers security breaches or hacks, 41 percent said they would stop dealing with such businesses or brands altogether. The loss of such a large number of consumers could threaten the very survival of many businesses and to prevent this, they must act fast and enhance their security credentials to prevent such eventualities.
"What’s really interesting is how consumers are increasingly questioning data security practices. Nearly half of those surveyed know they should check a company’s security processes and 22 percent said they question businesses directly or research how an organisation safeguards consumer data. This suggests a real change in how consumers prioritise privacy and security," said James Barham, CEO at PCI Pal.
"This should act as a real wake-up call to consumer-facing brands: they need to adopt stronger security practices, especially for those operating contact centres where payments are handled over the phone if they want to keep customers loyal and spending with them," he added.
Perception is another important factor influencing buying decisions of consumers of late. Even if a brand does not suffer any cyber-incident for a while, if consumers feel that the brand isn't taking sufficient steps to secure their data, they may stop dealing with the brand altogether or wait until they are satisfied that their data is secure.
While 31 percent of consumers told PCI Pal that they spent less with brands they perceived to have insecure data practices, another 26 percent said they stopped spending completely if they didn’t trust a company with their data. Considering that 38 percent of all UK consumers have personally suffered the negative consequences of data security incidents, the emergence of such caution is understandable.
Although they are predominantly consumer-facing industries which either store or process large volumes of customer data, financial organisations, retail firms, and travel firms are perceived by UK consumers as among the least secure organisations and the most likely to suffer cyber-incidents.
The failure of such organisations in preventing phishing attacks and cyber-fraud is well-known among their consumers and has also enthused cyber-criminals to press on with their operations on a large scale, either to obtain large chunks of customer data or to exploit the Christmas shopping season to earn money.
For instance, research by CyberInt has found that during the current shopping season, there has been a 200 percent increase in refund fraud-related activities, including a 150 percent increase in discussion of compromised shopper accounts and 90 percent rise in gift card scams compared to last year.
Brute-force attacks launched by cyber-criminals to compromise shopper accounts has also forced retailers to allocate precious IT resources to meet such threats, thereby impacting the ability of their networks in catering to high volumes of legitimate traffic, leading to a 300 percent increase in consumer discontent.
According to research by Barracuda, cyber-criminals have also stepped up social engineering attacks on retail firms since October this year to trick employees into sharing gift cards that they purchased in anticipation of the holiday season. Many of such social engineering attacks impersonated company CEOs and used language that implied urgency, thereby putting additional pressure on employees to comply with their instructions.
The huge challenge that the retail industry needs to overcome to prevent the loss of sensitive data, to win the trust of millions of consumers and to avoid regulatory action can be measured through how eager cyber-fraud rings are to exploit shopping fests such as Black Friday and Cyber Monday to accomplish their objectives.
According to cloud delivery platform Akamai, cyber-criminals carried out as many as 38 million credential abuse/stuffing attacks and 3.2 billion retail-specific bot attacks on Black Friday alone this year, and followed it up by carrying out 26 million credential-stuffing attacks and two billion retail-specific bot attacks on Cyber Monday.
On Black Friday and Cyber Monday, as many as 85.75 percent and 98.13 percent respectively of web application attacks were launched to exploit SQL-injection vulnerabilities in web apps, with 43.84 percent of such attacks coming from actors based in Russia. A large number of attacks were also launched to exploit other well-known application flaws such as command-injection, cross-site scripting, remote file inclusion, and PHP-injection vulnerabilities.
"The holiday season is something to capitalise on for a lot of industries – so too for cyber-criminals, who just like the rest of us do not exist in a vacuum. With the largest retail day of the year happening on Black Friday, there is more opportunity than ever for criminals to blend in amongst legitimate transactions, making off with goods, customer details or stolen funds before anyone has noticed," Ryan Wilk, VP at NuData Security told SC Magazine UK.
"Organisations need to be aware of this, and make sure that their account security corresponds to the heightened threats by engaging with more robust access protocols, such as two factor authentication and passive biometric solutions", he added.
A study carried out in the UK by LastPass ahead of Black Friday found that UK retailers still have a long way to go before completely ensuring the security of all transactions and preventing data belonging to consumers from falling into the wrong hands.
The study showed that nine out of ten top UK retailers, including Asda, Argos, Sainsbury's, John Lewis, Tesco, and Ocado did not support two-factor authentication and none of them required special characters when creating a password.
It also found that if a customer forgot a password, all 10 sites sent users a reset link or a one-time code, rather than sending the original password to the registered email, making it harder for an imposter to pose as a customer to gain access.
"With the wealth of personally identifiable information (PII) and sensitive data that online retailers process, all have a responsibility to ensure they take the necessary steps to protect their customers and educate them on best security practices. Consumers also have a responsibility to understand best security practices, so they can choose where to safely shop online.
"Weak or stolen credentials continue to play a major role in breaches, so it’s worrying that the most popular UK retailers have pretty lax password requirements when hundreds of thousands of shoppers flocked to these sites for a good deal on Black Friday," said Sandor Palfy, CTO of identity and access management at LogMeIn.