Retail Scores Below Average in Cyber-Security Culture. What Are Our Weak Spots?

Scott Draher
Scott Draher

In a National Retail Federation webinar last summer on the pandemic, Scott Draher, LPC, vice president of asset protection and safety at Lowe’s, spoke to the critical role of employee communication in meeting loss prevention’s mission of keeping customers and associates safe. Regarding compliance with safety guidelines and the potential for fatigue, he said on-going positive reinforcement is critical. “We need to over-communicate the value of the parameters we’ve set and make sure everyone understands the positive impacts these measures will ultimately have.”

The advice is as true for other aspects of safety and security as it is for pandemic response. On all compliance issues, loss prevention organizations must ensure that workers are getting frequent reminders about what is expected of them and why it’s important. A new study reveals how retail is doing in one of these areas—cyber security. Unfortunately, it finds retail organizations doing a middling job overall with significant room for improvement in key areas.

The study collected data from more than 120,000 employees worldwide and analyzed 1,107 organizations, with the purpose of providing an objective scientific method for assessing, reporting, and comparing relative cyber security culture-related strengths and weaknesses. The study arrived at scores in seven dimensions of culture and an overall score. The average score was 73, while retail and wholesale organizations scored 71.

- Sponsors -

Retail’s score makes sense, suggested researchers. The industry has experienced several high-profile breaches in recent years, so it has subsequently directed more resources toward improving cyber-security culture, but it’s also trying to balance the needs of customers while increasing their overall security posture.

Still, while higher scores should be expected in certain critical industries, such as financial firms, researchers specifically identified retail organizations as among those that need to do better. “Notable sectors struggling with security culture include Government, Legal, and Retail sectors,” concluded the study report, “Measure to Improve—Security Culture Report 2020” by KnowBe4 Research.

There were several bright spots. Retailers do a good job of communicating with retail employees about cyber security, for example. And they do an average job of informing workers about—and getting them to comply with—relevant policies. Workers are also generally on board. “With a moderate score of 75 in the ‘Attitudes’ dimension, it is likely that employees in the retail sector are positive toward making adjustments and adopting security best practices,” according to the study. But significant weaknesses were also found.

Areas for Improvement

With a below average score of 69, the retail sector should work to improve its norms around cyber security—the knowledge of and adherence to unwritten rules of conduct in the organization. The 10,000-plus retail workers examined as part of the study also underperformed in the “Cognition” dimension, a measurement of employees’ understanding, knowledge, and awareness of security issues and activities.

This discrepancy—retailers do an okay job of communicating to workers about cyber security, but workers don’t always seem to get it—suggests a clear need for improved training and education programs, according to the study. Doing so it the most direct path for retail organizations to improve their overall cybersecurity culture, it suggests.

Better Cyber-Security Training

Studies and interviews with data security experts produced a range of ideas to improve the stickiness of cyber-security messages that retail organizations deliver to employees. Measuring the effectiveness of training is a critical, experts agree, and it may also help to do the following:

Educate workers on the value of business data. They might not understand its value. It shouldn’t seem necessary, but a survey by Fujitsu, a technology solutions firms, found that only 7 percent of employees think their company’s business data is more valuable than their personal information. And 43 percent admitted said they “somewhat” or “completely” agree that they have no idea of the value of business data. “With 30% of employees agreeing that they worry more about losing personal data than business data, organizations have a challenge on their hands,” said Andy Herrington, head of cyber professional services at Fujitsu told ComputerWeekly. The study also revealed that “A third of employees will sell company data if the price is right.”

To enhance retention, identify for your audience what’s driving your cyber security awareness effort. Digging up examples to explain the relevance of security awareness training used to be a chore, but Google makes it easy. By collecting relevant real-world examples of incidents and consequences, you can address the first thought that every associate has when given a list of rules they’re supposed to follow, which is “Why?” Accompany data security requirements or guidelines with a rationale for why it exists. Also, use your own company’s horror stories as a teaching tool. Highlight a malicious link someone received and explain how a mistake in handling it could have resulted in big company losses.

Conduct a detailed audience assessment to inform you of the specific data security lessons you need to impart, which will depend on access to systems, data, and the threats to which staff are exposed. It’s a critical step, because instructing staff on issues that aren’t relevant can sabotage even the applicable aspects of an awareness campaign.

Recognize that not everyone is the same and that people learn differently. An awareness program can take that into account by using a variety of outreach materials and to combine them when training is delivered, such as verbal briefings, combined with printed reading materials and visual reminders. Delivering training in languages other than English may also be necessary for some worker populations.

Align training with what’s important for preventing data breach incidents. Surveys at the annual Black Hat security conference often reveal a disconnect between the cyber-security training that organizations provide to employees and the training subjects that its IT security experts believe would make the most difference. For example, security pros have said they think too much awareness training focuses on security systems architecture and legal issues, when more training on security policy would do better protect the organization results, they think. Upshot: Communication is critical between those that provide cyber-security training and those that know the company’s cyber vulnerabilities and risks.

Take the “what’s in for me” issue head on. Perhaps especially for millennials—but true for all ages of workers—it is important to explain to associates how data security breaches can impact the company, its reputation, and profits. And, in turn, the hours, wages, and raises that store associates receive. Also, making employees more resilient to malicious links at work is knowledge that will also help protect them in their personal online communications, and safeguard their own personal data, a benefit that an awareness program should highlight.

Don’t be afraid of training that touches workers’ feelings. Cyber awareness programs can falter by being strictly factual, say some experts. Appealing to workers’ emotions and imagination will help inspire a commitment to security that is longer lasting. Even the language that an awareness campaign uses can have an effect. For example, instead of focusing on reducing failure rates, LP should emphasize improvements in “success rates.”

Limitations of Training

Finally, retail organizations should recognize the limits of training, research suggests. Technical controls are critical, because no matter how robust a company’s awareness program is or how detailed its training effort, cyber-security training and awareness education can fall on deaf ears. Why is that?

Researchers from Iowa State University conducted a series of experiments that measured the brain activity of subjects as they responded to a range of information-security violations. They found that a person’s level of self-control was surprisingly influential in how subjects responded to what should be a mindful decision. The lead researcher said the study (“The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective,” Journal of Management Information Systems, 2015.) proves that while cyber-security training is important, it may have limitations because “once you’ve developed certain characteristics, it’s very difficult to change.”

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.