It is a challenging reality of the retail sector that employees are traditionally the weakest link to deterring digital security threats, such as system breaches and data theft. In a complex environment where employee turnover, seasonal workers, a mobile workforce, and shifting roles are a constant challenge, protecting the organization from security threats requires a vigilant approach to access and identity governance.
The Real Cost of Data Breaches in Retail
With the average data breach costing approximately $4 million per breach, the damage to retail businesses can be catastrophic. Yet those dollars only hint at the thing executives fear losing most: the company’s reputation.
A recent study by Retail Perceptions, “Security Hacks and the Lasting Impact on Retailers” found that:
- “43% of shoppers do not trust companies to keep their personal information safe.”
- “40% of shoppers avoid retailers that have been hit by security breaches.”
- “39% of shoppers say that they spend less than before at retailers who have experienced a security breach”
Dollars are on the line, and retail organizations are acutely aware of damage a breach can do to their reputation. Yet, breaches are experiencing exponential growth, with attacks increasing more than two-fold in 2015 according to some sources and 33% of retail organizations reporting that personally identifiable information was stolen or accessed by intruders.
While it’s common to focus on external network security and perimeter attacks, some experts estimate that 3 out of 4 data breaches occur because of employee mistakes, such as phishing schemes. (Other calculations put it closer to 45%.) And, once a hacker is in a system, they are in, gaining access to sensitive data, such as employee social security numbers, customer email addresses, and even customer credit card information.
It’s no secret that turnover is a huge problem in retail. Hay Group reported that part-time retail, sales associates positions had a 66% turnover rate in 2014. While the cause and remedy to high levels of employee turnover can be debated, the reality of dealing with a large number of new and former employees’ systems access rights is a huge burden on IT staff. And, when this process is manual, there can be inconsistencies between the access rights an individual needs and what they are actually given.
Utilizing a comprehensive workforce IAM system makes granting access to new employees easy, but more importantly, reduces security risks associated with an employee having access to an application that they don’t actually need. Similarly, revoking access when an employee leaves is all handled in one place, so that no applications are missed.
Seasonal hiring, such as around the holidays, can be particularly challenging as businesses must quickly fill their workforce needs with an accelerated ramp-up time to maximize productivity and thus, profit. This makes it difficult for IT to perform rigorous onboarding and offboarding processes that ensure access rights are safely granted when the employee starts and cancelled at the end of their employment.
Old manual, ad hoc processes of granting and removing employee access to systems leaves room for human error and mistakes, such as forgetting to deprovision a user from all systems when their seasonal work is over. This simple oversight opens up a security hole whereby old employees or hackers can gain entry into a retail system with credentials that were never revoked. Best-in-class workforce IAM systems allow IT to set an expiration date for any access rights, which automatically closes this loop, especially helpful for seasonal workers whose tenure has a defined timeframe.
Retailers are increasingly embracing mobile technologies that enable employees to obtain scheduling, inventory, cost changes, and other vital information wherever they are. This access makes them more effective in keeping the retail environment agile, customer responsive, and ultimately profitable. Yet, mobile applications represent just one more thing staff needs access to, one more password that employees need to remember, and one more set of credentials that hackers can target.
To effectively deal with the multitude of applications an employee will need, including apps on mobile devices, workforce IAM includes single sign-on capabilities whereby access to everything personnell needs is in one place. This eliminates the need for employees to write yet one more password on a sticky note or share passwords with other employees, which are all too common problems.
It’s common for employees to enter the retail environment and be given access to specific store systems with limited rights. This access can quickly increase as they move from department to department or into different roles with new access needs. While new access is added, many times access that is no longer needed is never removed. A common use case is also when an employee is hired back into another department while retaining their old credentials and thus accumulating access rights.
A comprehensive IAM system can more effectively deal with the changing circumstances of employees in retail (i.e. changing system access when a role changes) than outdated manual processes through continuous access certification, which ensures IT is reviewing roles and access rights on a regular basis and not just “rubber stamping” identities once a year.
With a majority of network breaches occurring because of employee mistakes (or even malicious intent), systems access for contingent or seasonal workers represents a unique set of challenges. Making sure that employees are only given the access assigned to them under a clearly defined set of rules that align to the retailer’s corporate policy should be the primary goal of an effective identity governance initiative.
By implementing a comprehensive IAM system with robust policies and workflow tools, retailers can protect their systems from data breaches that can cost a retail organization millions of dollars, customer trust, and even brand reputation.