Security breaches are happening left and right. It’s not uncommon for consumers to receive a letter or an email alerting them that their information has been compromised. Ever since the global pandemic pushed consumers into the accelerated digital age, cybercriminals have had more fraudulent routes to choose from.
This has become a big problem for businesses, especially small- and medium-sized companies that may not have a strong enough cybersecurity system to protect them from increasingly sophisticated fraudsters.
Business owners need to act now or risk irrefutable damage to both their finances and reputation. To further discuss how businesses can successfully mitigate cyberattacks and protect consumers, PaymentsJournal sat down with Tom Callahan, Director of Operations, MDR, at PDI Software, and Tim Sloane, VP of Payments Innovation at Mercator Advisory Group.
Consumers experience different types of fraud
No consumer is exempt from the threat of a fraudulent attack, and with the advanced digitization that happened during COVID-19, fraudsters are only getting more sophisticated. The chart below reveals how many consumers experienced fraud in 2019 compared to 2020.
In 2020, the percentage of consumers who have experienced some form of fraud reached nearly 32%, a more than 3% increase from the previous year. The greatest number of attacks involve card fraud, experienced by 17.4% of respondents in 2020. The category with the greatest increase from 2019 to 2020 is platform fraud, which more than doubled to 5.3% of attacks. “More than half of those fraud vectors are driven by data lost by businesses and merchants, through their own lack of protection of consumer data,” explained Sloane.
According to research conducted by Mercator Advisory Group, very few small businesses are actually investing in tools and strategies to protect their data. However, as fraudulent activity continues to grow, the level of risk for these businesses rises dramatically.
“The 31% of consumers that have experienced fraud this year…they’re different than the 28% last year, or the 26% the year before. Pretty soon, the entire consumer base is going to experience fraud and be less likely to make purchases. So this is a serious problem,” concluded Sloane.
Changes in cybersecurity
Traditionally, fraudsters executed cyberattacks in the payments industry to gain access to basic data such as card numbers. More recently, however, their approach has pivoted because the financial gains from traditional attacks are not as lucrative or as quick of a win as newer types of attacks, such as ransomware or credential theft. These approaches allow the attacker to travel deeper into the systems and to access data and IT systems for a longer timeframe. As the sophistication of the attacks escalates, so does the level of threat.
A card data breach has a financial impact as well as an impact on the reputation of the business that has been attacked, but it doesn’t necessarily take the business offline. In a ransomware attack, there could be a cardholder data breach as well as a chance of the system being taken completely offline.
“Cyberattacks have almost a domino effect of financial impact and reputational impact and just have a general business impact. If you’re not prepared for that, that’s a major, major issue,” warned Callahan. With all of the changes happening in retail due to COVID-19—curbside pickup, digital order entry processing, and electronic order fulfillment—there are new avenues opening up for attackers to breach IT systems. While many businesses are opening back up and returning to the new normal, many customers are still going to want the new conveniences they received during the pandemic. As a result, businesses will need to retain these digital methods while simultaneously continuing to strengthen their cybersecurity.
Retailers can help minimize attacks
Implementing new security measures can be intimidating, so retailers should take a step back and ask themselves this question: what does my cybersecurity strategy need to be?
It’s a misconception that massive consulting groups and a large sum of money are required to strengthen a company’s security profile. “Start easy, start simple. Sit down and identify what tools am I using? What software am I using? How is it being managed? How am I training my employees, whether they’re seasonal or non-seasonal, to understand what these risks are, and understand how to respond to these risks?” explained Callahan.
Some businesses will map out how they can execute their cybersecurity strategy internally, potentially hiring one person to manage it. Unfortunately, this is usually not enough because a single-person approach has many limitations—such as not being able to provide the 24/7/365 monitoring required in today’s cybersecurity climate. Companies need to realistically assess whether they can protect themselves or need to hire a third party, and then consider how much that third party should be involved.
Human impact is the key to security
The good news is that all the tools and resources are readily available to help prevent cyberattacks. However, the most critical element is often the “human factor.” It’s absolutely necessary for business leaders to commit to cybersecurity and make employees a strategic part of any plans. Employers should educate their employees on things to look out for, such as suspicious emails and phishing attacks. “Don’t open random files that you get from random email addresses that promise gift cards… things that you would think are second nature, but in a lot of cases they aren’t,” said Callahan.
In many use cases, companies will have robust fraud prevention plans with technology that they have invested large dollar amounts into, but employees won’t know who to contact in the event that they perceive a potential threat. These threats need to be identified quickly, so it’s important for team members to be educated on what to do if something seems strange or different.
“That first alarm early on in the process can eliminate a threat very, very quickly, if it’s actionable,” concluded Callahan. “The more you can train every employee on how to act, the safer your business will be.”
