The massive cyber-security breach at Target put the company in the media spotlight with as many as 110 million customers potentially at risk. With another security breach reported at Neiman Marcus, dozens of lawsuits have been filed and investigations have been launched. Pundits, lawyers, crisis counselors and security experts have opined about this serious situation.
But the greatest threat has no doubt been to consumer confidence and its impact on sales and the company brand. Customers wonder whether to use cash or go to the nearby competitor that may ‘feel’ safer. The competitor usually wins in this game of perception. Target has already lowered its fourth quarter profit forecast due to the fallout from the security breach during the height of the holiday shopping season.
Now, a new report issued by iSight Partners, a security company working with the government, indicates that these hacking incidents may be just the tip of the iceberg. The Department of Homeland Security has issued an advisory to companies about the possibility of similar point-of-sale attacks.
Shoppers are fearful and retailers are on high alert. In fact, security breaches may well become the number one communications challenge for the retail industry. As the threat intensifies, retailers are advised to heighten their preparedness so they can react quickly and decisively. While I give Target good marks for its handling of the crisis, it was slow in its response time. Target CEO Gregg Steinhafel gave his first interview on CNBC on January 13th, almost a month after the breach was first reported. In addition, the initial details have changed which always undercuts credibility with consumers.
Most retailers seem to rely on one of two crisis communications plans for these situations; an outdated three-page call tree, or a phonebook-sized manual gathering dust on a top shelf that takes into account every scenario EXCEPT the one you will need to face tomorrow. Crisis planning —whether for a data breach, a lost data tape, a stolen laptop or a hacktivism attack — needs to be a living document nimble enough to pivot quickly as the situation requires. Since a cyber-attack touches almost every part of the organization, the crisis team should reach beyond communications to include legal, marketing and sales, human resources, IT, operations, and both internal and external counsel. Team members cannot work in a vacuum and should know one another and have established relationships, protocols and procedures so they don’t meet for the first time in the heat of a crisis.
Prepare for the worst case scenario and practice your response. How are you going to conduct yourself should a hack attack occur? How do you respond to customers…to the media…to lawyers, government officials, and to tweets both true and false? Feel the pressure and critique your response. These practice sessions may be conducted with a dozen or so people around a table. Or, it could be a multi-day workshop that simulates an actual attack.
Retailers will also need adequate insurance to cover the cost of a cyber-attack including legal and communications fees, forensics, and other related costs. According to an article in Business Insurance, Target has $100 million of cyber insurance, plus $65 million of directors and officers liability coverage.
And finally, retailers have an opportunity to be consumer advocates and become part of the cyber-solution. Share information and explore new technology that will improve network defense. Remember that tamper-proof packaging was developed by Johnson & Johnson in response to the Tylenol tampering in the 1980s. A hack-proof data security system may well emerge from the current cloud over the retail environment.