In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19 related breach, and 17% would never return. While I imagine this sentiment would apply to any breach of personal information and not just one related to the current crisis, these numbers are a sharp step up from the estimated average customer turnover rate of 3.9% in last year’s 2019 IBM/Ponemon Cost of a Data Breach Report. While it’s just one survey, the significant increase in expected customer turnover rate in such a short time-period may represent a rapidly diminishing level of tolerance for websites that leak valuable personal information.
In order to remain in business, many retailers had to rush to upgrade their online presence in order to compensate for store closures and reduced foot traffic in locations that were able to remain open; or for the more fortunate retailers, to simply manage an unprecedented increase in online purchasing. As we balance security risk against the need to maintain the health of the business, it would not be surprising if ‘speed to market’ concerns took priority over rigorous application security review in some of these instances – after all, a strong cybersecurity program is meaningless if there’s no organization left to protect. Nevertheless, it is still critical to complete the cycle of secure software development and thoroughly test any changes and integration of new solutions to verify they are secure.
If you are a retailer that has had to prioritize retooling your online presence over everything else, please be sure to circle back around and undertake these important tasks:
- Conduct a code review that focuses on verifying that your site is not vulnerable to web application security risks, such as those included in the OWASP Top 10
- Validate that any integration of new technology – such as payment processing, customer experience or even anti-fraud solutions – is still properly managing personal information in line with your security and privacy policies
- If you don’t already offer it, consider offering two-factor authentication to your online customers
- Confirm your web servers are still using strong security certificates and aren’t allowing weak protocols. You can check this for free at ssllabs.com
- Ensure everything is still running using the Principle of Least Privilege