If a company compromised your personal information – your credit cards or social insurance number – how long would it take you to trust them again? Months? Years? Would you ever consider doing business with them again?
Sadly, this is a real question thousands of Canadians need to ask themselves every year. As cyber attacks become more and more common, with retailers across the country falling victim to hackers every year, consumers have to weigh their desire to do business with a retailer against their bruised trust. In the world of cyber security it’s “once bitten, always shy.”
A recent survey study from KPMG LLP, an audit, tax and advisory firm, suggests that, perhaps obviously, data breaches have a distinctly negative impact on consumer trust. Of those polled, 33% said it would take at least three months before they would even consider doing business again with a retailer that lost their personal information. More dramatically, another 19% said they would cease to do business entirely with a retailer that was the victim of a cyberattack, no matter how gracefully they handled the situation. The potential for loss and major life disruption is just too great to take the chance.
Disconcertingly, it appears as though retail executives haven’t caught on to the importance of information security of the impact a loss of consumer trust might have on their business. Along with the consumer survey, KPMG also surveyed over 100 retail executives about cyber security concerns. Of the executives polled, 55% say they haven’t invested capital funds in cyber security in the last year. Even more troubling, 42% of the top level executives polled indicated that their company doesn’t even have a leader responsible for information security.
Not only are they not investing in cyber security, they don’t even have an individual responsible to take charge when a security issue does come up. It’s the cyber equivalent of a relying on a rusty old padlock and not even bothering to have someone watch the gate.
This lack of urgency is particularly concerning given the frequency and prevalence of malware and botnet attacks against the retail sector. Between the tech, financial, automotive, and retail sectors, it was retail that experienced the greatest number of malware attacks in the last year and followed just behind the automotive sector in terms of botnet attacks. Overall, the retail sector was the most attacked type of business in the past year, which makes the sluggish response of retail executives seem even more troubling.
These skewed priorities can be seen again where retail executives were polled about their greatest concerns in the instance of an attack. Of those polled, 60% cited financial loss as their main concern, which while practical, betrays a certain lack of insight when it comes to the long-term damage a cyber attack can have on consumer trust, and ultimately the bottom line. It’s not just the money you lose dealing with a security breach and the liability associated with it. People who don’t trust you won’t shop with you again. A single breach can turn a formerly loyal customer to a permanent no-sale.
Other sectors were more concerned about damage to their reputation and possible regulatory action, reflecting the value they place on the public’s perception of their brand and their ability to protect their information with their own methods. This is undoubtedly the more healthy outlook. Businesses of all kind need to place a premium on their own good name and do everything they can to make sure they are seen as responsible, trustworthy actors consumers can feel confident doing business with.
Retail needs to get with the program. Customer trust is a fickle thing, and once damaged it is nearly impossible to repair. As cyber attacks cement themselves as an unfortunate reality of modern business, it’s important to be seen as aggressively interested and determined to protect your customers interests with ongoing investments in their security and dedicated personnel responsible for maintaining those standards.
As consumers, we need to be more savvy and discerning with which retailers we trust with our information. Before trusting them with your information, review a company’s track record with data breaches – have they happened? How did the company deal with it? Did they get out in front of it and notify their impacted customers promptly, or did they have to find out about in on the news? Reward companies with stated cyber security policies and steer clear of retailers who seem blasė or behind the times about the potential cyber threats.
We need to get to a place where instead of considering if we’d do business with a company again after they’ve lost our data, we should be considering if we want to do business with a company that could lose our data.