Consumers could be forgiven for being on high alert after the series of high-profile data breaches that rocked the Australian business landscape late last year, with Optus and Medibank just two major local brands impacted by such incidents.

Naturally, data breaches tend to make consumers more cautious of the personal information they share with businesses. This caution may see some consumers avoiding retail outlets that ask a little too much personal information of them when signing up to buy things online during the 2023 end-of-year sale season.

As retailers race towards Christmas, and January’s new year sales, they’re in a prime position to bolster consumers’ confidence in how they handle data and demonstrate their ability to keep sensitive customer information safe from potential attacks and cybercriminals’ prying eyes.

Fortunately for retailers, this task can be as simple as not asking so many questions.

Ask less, not more

One of the best ways for most businesses to keep sensitive information safe is to not collect or keep it in the first place. Naturally, retailers are keen to get as much information as possible about their customers to provide a more personalised experience, create more targeted offers, and deliver more appropriate loyalty rewards.

But retailers can begin firming up their personal information security posture immediately by reviewing how much personal consumer information they actually need to do business. By only asking for the bare essentials for an online sale, such as a full name, payment method, email, and a shipping address, retailers can avoid having to handle more sensitive information.

Moreover, incorporating a policy of only holding onto such data for a limited amount of time vastly reduces the risk of large sets of potentially sensitive data falling into the wrong hands further down the track. Indeed, destroying credit card information as soon as a transaction is finalised is perhaps the most foolproof way to protect customers’ payment data.

Building trust with transparency

While retailers can ensure greater protection of customers’ sensitive information by simply changing what they ask for and how they ask for it they can ensure consumer confidence by clearly communicating what information they are collecting and why. This is something businesses in the financial services industry have done particularly well for years.

Many of the rules and processes related to personal customer information in the financial services industry are a result of mandated regulatory requirements, providing the retail industry with a model of best practice. Privacy statements are important here, and need to be communicated clearly with customers.

And although privacy policies are a requirement in lots of industries, including retail, the financial services industry has shown us how clear, straightforward, and comprehensive they can be, providing transparency for consumers and helping them make informed decisions about how they share their personal data.

New rules for the online model

Sometimes, the collection of sensitive data is unavoidable, so other steps need to be taken to shore up the security of consumer information. A good start is using multi-factor authentication (MFA) to verify the payment process. Identity theft is a real and present concern, but processes involving MFA can provide an additional layer of protection for consumers and their data.

Given the omnichannel nature of the retail market today, it is also essential that retailers monitor their network activity for signs of unusual activity or unauthorised access. Such visibility is the first step in a simple three-point plan retailers can use to protect consumer data and minimise the likelihood of attacks or breaches.

Beyond gaining visibility into all assets, networks, and attack vectors, the other steps in this three-point plan include using the data gleaned from this insight to calculate risk exposure, and investing in the right controls to mitigate the identified risks. That may sound complex, but it can be relatively simple to achieve with a platform-based approach to cybersecurity.

Such an approach is, by its nature, extensive enough to cover the entire attack surface of a retail business, from end to end, across channels. This means fewer information silos and fewer ways for attackers to breach a network undetected.

With the right processes, policies, and technologies in place, retailers have the opportunity to be transparent and clearly communicate to customers the steps they are taking to keep their sensitive information safe. This can help to drive consumer confidence this sale season.

Ashley Watkins is vice president – commercial for Australia and New Zealand at Trend Micro.