Retailers Need to Get Real About Security


It seems a distant memory now. In December 2013 – light years ago in technology time – the retail giant Target disclosed a massive software security breach of its point of sale systems. The bad guys fled the virtual premises with the credit card information of 40 million customers. This astounding number would later rise to 70 million customers.

Target’s embarrassment, its loss of market share, its brand erosion, and its legal costs to settle claims collectively should have served as a nerve-jangling wakeup call for retailers large and small nationwide.

It would be hopeful to believe that retailers learned from Target’s data breach, but in fact the opposite has happened. In 2016, retail software security breaches were up 40 percent over the prior year and in 2017 the following familiar brand names suffered breaches – Sonic, Whole Foods Market, Arby’s, Saks Fifth Avenue, Chipotle, Brooks Brothers, Kmart, and Verizon. Retail software security is getting worse, not better, and the dismal trend seems likely to continue in the near term. Why?

The number of virtual burglars continues to increase along with their level of sophistication in finding ways to exploit software security vulnerabilities. At the same time, securing software is both difficult and costly. Because retailers know they cannot stay in business without online customers and fast point of sale systems, they invest time and money on revenue-generating technology. Software security is defensive and does not produce revenue, and as a result, is often a low priority.

Finally, and perhaps most alarmingly, reports of retailers’ software security failures are so frequent and widespread that consumers are increasingly inured to them. The convenience of doing business online trumps their fears of data theft or privacy invasion.

For this discouraging security situation to improve, retailers must be willing to change their mindset – to think and act not only like a retailer, but also like a software company. To do so they need to look no further than to one of the world’s leading software companies, which is also the world’s #1 online retailer.

Yup, Amazon.

In 2017 Amazon had $94.7 billion in online sales and experienced growth of 19.4 percent compared to the prior year. Though not immune from a software security breach (it has had challenges resulting from security lapses by its third-party vendors), Amazon has avoided the catastrophic software security breaches of other online retailers. It has done so by focusing relentlessly on the security and integrity of the software that it develops and deploys to power

Despite its success as a retailer, Amazon very clearly understands the business it is in: developing and delivering secure software that also enables swift transactions and an excellent user experience.

The lessons from Target’s failures and Amazon’s successes are clear: to be competitive, aggressively marketing and selling online is imperative, but efforts to improve software security must be equally aggressive.

Yes, there is big opportunity in online retailing. However, until retailers stop treating software as an ancillary aspect of their business and begin to think and act like software companies, security breaches will continue to plague them.

Lou Shipley is a Lecturer at the Martin Trust Center for MIT Entrepreneurship at the MIT Sloan School of Management. Most recently, he was CEO of Black Duck Software (acquired by Synopsys). Follow @loushipley

Trending on Xconomy