Article

Ransomware attacks are on the rise

5 considerations for consumer businesses

August 24, 2021
#
Risk consulting Fashion & apparel Cybersecurity consulting Consumer goods

Trust is a powerful concept in the world of consumer goods. When a consumer trusts a brand or demonstrates commitment and preference, trust grows, loyalty expands and repeat business follows.

Trust is not easy to maintain in today’s volatile business environment. Companies must protect their own data in order to ensure business continuity and protect private consumer data in order to keep their shoppers coming back.

Brand trust is essential to buying

A 2019 study, conducted by the global communications firm Edelman, found that the majority of consumers said that brand trust is essential to buying. According to the report, 81% of those surveyed said a major consideration for brand purchase was, “I must be able to trust the brand to do what is right.” In addition, more than 70% of the consumers surveyed said they make purchase decisions based on whether companies demonstrated trustworthiness in areas such as supply chain, values and environmental impact, to name a few.

To lose that trust, however, can be devastating for a company, especially if that trust is based on protecting consumers’ personal data. In this competitive business environment, it’s vital for companies to maintain large reserves of private data on their customers, from name and date of birth to financial and credit information. This valuable information allows consumer products companies to personalize shopping experiences, offer timely rewards and create efficiencies for the customer. In fact, data sharing is especially important to the next big generation of consumers, Generation Z, the cohort born after 1996. According to a study by WP Engine, a WordPress platform host, 44% of Gen Z consumers will provide their personal data to enable a more personalized experience over an anonymous one. Additionally, nearly half said they would stop visiting a website if it did not anticipate what they needed, liked or wanted.

Likewise, this collected data helps consumer products businesses make smarter business decisions with regard to inventory management, omnichannel strategies, and beyond. But, if this valuable data is breached, trust falters. As American business magnate Warren Buffet once said, “It takes 20 years to build reputation and five minutes to ruin it.” In an instant, with a security breach and stolen data, consumer confidence is gone and the company’s reputation is immediately affected. It can take years to recover trustworthy status and profitability. This is especially true for middle market businesses with less brand capital compared to larger companies; larger companies generally have more pervasive brand recognition and may be able to withstand the hit to their reputation after a breach.

And, equally as important as protecting consumer information is being transparent with customers as to how their data is being used. It’s not just about security and warding off threats; it’s also about providing consumers the knowledge and control of their data. Businesses must have practices in place to address this consumer need and associated privacy requirements.

Ever-present cyberthreats

Unfortunately, the threat continues to rise. Cyberthreats remain an ever-present reality for companies, in a world where hackers can hold your data hostage, even if you don’t process credit card transactions, and demand a ransom in order for you to even sell your goods.

According to the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report, 64% of respondents anticipate that unauthorized users will attempt to access data or systems in 2021, another significant increase from 55% in both 2019 and 2020.

Adding further concern, businesses, including consumer products companies, are also challenged with addressing a surge of regulatory compliance as a growing number of countries and states are beginning to enact privacy and security legislation to improve data protection. For instance, many have been required to comply with the European Union’s General Data Protection Regulation (GDPR) as well as U.S. legislation like the California Consumer Protection Act (CCPA), which took effect in 2020. However, when it comes to the CCPA and future requirements, companies have been slow to develop compliance processes. According to the RSM cybersecurity report, only 40% of respondents were familiar with the requirements of GDPR or other privacy regulations.

What should you be considering to protect yourself and customers from hackers?

So what must consumer products companies, especially those middle market businesses with tight margins and resources, do to address cybersecurity issues, particularly those related to valuable customer data collection and management? Consider the following questions to jumpstart your cybersecurity planning efforts.

1. What type of data is your business collecting?

Are you collecting names, personal data, financial information, and more importantly, do you need and are you using all that information? Sometimes companies think they need to cast a wide net in data collection only to find they might not need it all. Excessive, unused data can create exposures for companies. Be strategic about what’s collected and use the information for better engagement with consumers and smarter business intelligence.

2. Who has access to the data?

Limiting access to secured data is a key way to lock down information in an organization, whether through network design or access control solutions. In addition, be mindful of third-party providers that work with your consumer products business. Does that delivery service have access to your restaurant customer data? Does that warehouse third party have access to your retail customers? Having a rigorous policy in place regarding access which includes your third parties is key. In addition, be sure to have ongoing monitoring measures in place and adjust accordingly as business needs change.

3. Are you addressing cyber regulations?

GDPR raised the bar for protecting consumer information and requires specific tracking from collection to disposal. And as mentioned earlier, U.S. states are following suit related to data protection with their own regulations. To address these and other data security concerns, consumer products companies should periodically assess current security and privacy strategies related to the company as well as contracted third parties, amend controls and planning as needed, align governance appropriately, and have an incident response plan in place.

4. Have you assessed your risk management strategy?

With cyberthreats posing a heightened risk for consumer products businesses, it’s essential to have a risk strategy that addresses vulnerabilities. This is not a time for your risk management plan to be collecting dust. To make the strategy work for you, consider testing and assessments that evaluate physical, cyber and personnel vulnerabilities in various attack vectors (i.e., internet access, social engineering, etc.). Revisit your governance structure across all facets of security and make sure it aligns with your business strategy. And finally, build a culture and awareness within your consumer products organization around key cybersecurity considerations through testing, training, information and more.

5. Have you considered cyber insurance?

To transfer the risk of cybercrime repercussions, cyber insurance has become an effective solution. According to RSM’s cybersecurity report, more than half of middle market executives surveyed carry cyber insurance to mitigate risk. However, while the usage of cyber insurance is gaining momentum, many executives do not have a full understanding of their coverage. In fact, the survey reveals 65% of middle market organizations carry a cyber insurance policy, a slight increase from last year’s 62%. Even more important though was the jump in respondents who claim familiarity with what their policy covers—up to 64% from 48% last year. Companies must understand their policies to ensure exposures are addressed. Periodic evaluation of the insurance policy is also needed to account for evolving risks.

RSM contributors

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.