Introduction
Online retail has established itself as a colossal industry in a relatively short space of time.
The first online transaction was made 20 years ago and involved the sale of an album by Sting costing $12.48 (€8.25) plus shipping costs.
To put the growth into some sort of perspective, IMRG,
the UK’s industry association for online retail found
that UK shoppers spent
£
21.6bn online over the festive
period – 13% growth on the same period last year. That’s
a 25% increase compared with 2013. Meanwhile in the US,
Cyber Monday spend hit $2.68bn last year, up 16% on the
previous year. This is big business.
But at the same time, we’ve seen an industry grow in tandem. Cyber crime.
This is big business too. It’s difficult to put a definitive price on it but some estimates put the cost to the global economy at $445bn (£290.3bn). And retail businesses have found themselves in the firing line. Big breaches at the likes of Target, Home Depot and Staples have put the industry firmly in the spotlight.
Consumers are spending online. And hackers are targeting consumers. But when will data breaches and credit card fraud start to affect what consumers do online?
This discussion paper explores the consumer attitudes of shopping and banking online. It details and examines a poll we carried out in collaboration with IDG Research Services into consumers’ online behaviours and their perceptions around online security.
http://internetretailing.net/issue/internetretailing-magazine-september-2014-volume-8-issue-6/online-shopping-turns-20/ http://www.imrg.org/index.php?catalog=1628
http://www.adobe.com/news-room/pressreleases/201412/120114AdobeDataShowsCyberMondaySalesUp.html http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
RESPONDENT PROFILE
33% 67% 37% 23% 23% 17% South West Midwest Northeast 9% 11% 16% 9% 10% 9% 10% 27% 18-24 25-29 30-34 35-39 40-44 45-49 50-54 55 years or older 49% 51% Total respondents Gender10,000
3RESPONDENT PROFILE
US 5,000 UK 5,000 Age US regions US annual household (HH) income $100,000 or more 20% $50,000 – $99,999 33% Less than $49,000 37% Mean $67,815 £75,000 or more 10% £40,000 – £74,999 25% Less than £39,999 54% Mean £39,619 UK annual HH income Parent to child Yes No Male Female Millennials = 36% Generation X = 27% Baby Boomers = 37%Employment status 61% 15% 5% Employed Student Not Employed Retired Industry of those employed
RESPONDENT PROFILE
12% 11% 11% 10% 8% 7% 6%Retail, Wholesale and Distribution Education Healthcare (providers and pharmaceuticals) Manufacturing (including automotive, aerospace & defense, construction, engineering, chemical, metals & mining) Services (legal, consulting, real estate) Financial Services (banking, insurance, brokerage) Government (State or Local)
Methodology
This survey was fielded by IDG Research Services from October 8 2014
to October 13 2014.
The results were collected through an online questionnaire. A total of
10,000 people were surveyed – 5,000 from the US and 5,000 from the UK.
Consumer Internet usage
and customer confidence
Key highlights
• 84% of consumers shop online, but only 21% feel very safe on retail sites • Banking websites evoke the highest degree of confidence, while few consumers
feel very safe on social media sites
• Biggest concern around online retail is regarding identity hacks and theft
• Consumers are most confident in finding legitimate websites through bookmarked URLs • Positive past experience and brand familiarity play key roles in instilling confidence in website
s
Our research found that while 84% of consumers shop online, just 21% feel very safe when using online retail sites. This immediately paints a very bleak picture of consumer confidence. People are shopping online, but they’re not comfortable doing so. This should set alarm bells ringing for any companies that have a significant online presence. Customers simply don’t feel very safe on the average website. It’s up to these websites to do more to increase this perceived feeling of safety and provide better assurances for visitors.
The picture gets more interesting when we look at what types of sites instil confidence.
Fewer than 50% of consumers feel very secure on most websites today; Banks/
financial management websites evoke the highest degree of confidence while
very few consumers feel very secure on social media sites.
43% 21% 30% 22% 20% 23% 18% 8% 46% 62% 46% 49% 46% 42% 43% 32% 7% 12% 12% 13% 13% 17% 21% 34% 3% 2% 5% 4% 4% 5% 8% 21% 2% 2% 8% 12% 17% 13% 10% 6%
Banks/financial management (your bank account, retirement fund, etc.) Online shopping Government sites Medical websites (your personal patientgateway, etc.) Education sites News and information
Search engines Social media % Very/ Somewhat Secure 39% 61% 88% 75% 66% 65% 83% 72%
Feeling of safety by website types
Very secure Somewhat secure Not very secure Not at all secure I don’t think about security when using these websites
Q3: How safe and secure do you feel when using each of the following types of websites (i.e. your personal/financial information is secure, sites are free from viruses or malicious software, and/ or you are interacting with the legitimate organization that you intended)?
It’s clear that banking websites evoke the highest degree of confidence, while very few consumers feel very safe on social media sites. This is somewhat understandable. Financial websites are usually closed systems which demand users to take several security steps before they can be accessed, such as two-factor authentication. Social media is more open – with anyone in the world able to (attempt to) interact with any user.
Further to the results in the graph below, we also found that
‘baby boomers’ (those born in 1964 or earlier) generally feel
less safe than the younger generations when it comes to online security.
Millennials (those born between 1980 and 1996) have grown up with the
idea of transacting online. Older users have had to adapt and exhibit more
caution than their younger counterparts.
The results also differ depending on whether we look at the UK or US.
90% 86% 80% 67% 65% 66% 62% 40%
Feeling of safety by website types
Consumers that are either very or somewhat secure
87% 80% 71% 76% 68% 64% 61% 39% Banks/financial management
(your bank account, retirement fund, etc.) Online shopping Government sites Medical websites (your personal patient gateway, etc.) Education sites News and information Search engines Social media
13
Q3: How safe and secure do you feel when using each of the following types of websites (i.e. your personal/financial information is secure, sites are free from viruses or malicious software, and/ or you are interacting with the legitimate organization that you intended)?
Bases: 5,000 US respondents, 5,000 UK respondents * Significantly higher than comparison group at the 95% confidence level
US and UK consumers find safety and security in different types of websites,
however both groups report search engines and social media as the least
secure.
United States United Kingdom
Those in the US are more likely to put trust in medical websites, whereas UK consumers feel safer on government websites. The high-profile breach affecting Healthcare.Gov last year – and numerous disruptions from hacktivists - may have had an effect on US consumer confidence in the government’s online presence.
The majority of consumers may feel relatively comfortable while on online retail sites, but our research has drilled down further into why a substantial number of people don’t.
The biggest concern is around identity theft and hacks. Clearly security issues are starting to have an impact on the mindset of a large number of consumers. The headlines following the breaches at Target, Home Depot and Staples to name just a few will no doubt have contributed to this – particularly in the US.
40% 47% 40% 45%
31% 39% 35% 30% 33%
46% 41% 47%
21% 20% 19% 21%
11% 6% 9% 6%
News and information Search engines Education sites Government sites
14
Reason for feeling insecure by website types
Out of those that feel not very or not at all safe/secure
Of those that feel unsafe on certain websites, most attribute it to concerns
about companies having access to personal information and fears about
identity thefts/hacks.
Q3b: You rated the following types of websites as not very or not at all safe and secure. Why do you feel that way? (Select all that apply)
Bases: Feel not very/not at all safe: 5472 social media, 986 banks/financial management, 1678 medical websites, 1478 online shopping, 2212 news/information, 2835 search engines, 1673 education, 1624 Government sites
57% 38% 47% 38% 37% 39% 32% 43% 52% 55% 43% 52% 17% 15% 17% 15% 4% 3% 6% 3%
Social media Banks/ financial management (your bank account, retirement fund, etc.)
Medical websites (your personal patient
gateway, etc.)
Online shopping
I’m uncomfortable sharing my personal information (e.g., name, address, email, date of birth, etc.) online because I don’t want other companies to have access to it
I’m uncomfortable sharing my financial information online because I don’t want other companies to have access to it I’m uncomfortable sharing my personal and/or financial info online because I fear identity thefts/hacks
I am not too clear on the risks but am worried about things I’m hearing in the news None of these
Getting to the right website is crucial for transaction oriented activity. With so much phishing activity and so many bogus sites around, making sure you’re in the place you intend to be is essential. Consumers we surveyed were most confident they’d get to a legitimate site if they visited it through their own bookmark.
28% 23% 8% 6% 6% 5% 5% 4% 38% 39% 32% 20% 20% 20% 10% 11% 26% 30% 47% 43% 48% 53% 36% 39% 5% 5% 10% 23% 20% 18% 33% 32% 2% 2% 3% 9% 7% 5% 17% 15%
A link I have bookmarked A URL I typed directly into a web browser A link resulting from a search from a recognized brand or company name A link from an email or newsletter One of the links resulting from a search on the first page above the fold (links that are visible without scrolling) One of the links resulting from a search anywhere on the first page Paid-for advertisements on search
A link from another website (like social media, shopping sites, etc.)
Extremely confident Very confident Somewhat confident Not very confident Not at all
25% 66% 62% 26% 40%
Confidence that method results in legitimate website
Q11: When using the following methods to arrive at websites, how confident are you that you will end up on the legitimate intended site versus a fake or malicious site? Bases: 10,000 qualified respondents
15% 25%
14%
% Extremely/ Very Confident
Paid-for advertisements on search engines and links from other websites cause the most worry, likely due to what is a perceived lack of control. Most consumers do trust in their ability to spell correctly, as typing URLs directly into the browser is their second favourite method. Any typos could lead to trouble though, with typosquatting still a major problem across the web - a recent study found that 95% of the Alexa 500 (a list of the 500 most visited sites on the web) are actively targeted by typosquatters.
Understandably positive past experience and brand familiarity play
the most important role. Interestingly domain extensions were
crucial to 50% of consumers – but the ongoing addition of hundreds
of new domains will no doubt have some impact on consumer
confidence. Companies need to decide on a strategy for these new
domain names sooner rather than later.
Factors that increase confidence in safety/security of websites
65% 60% 50% 29% 27% 18% 17% 11% I have had a positive past experience with the website
Website is associated with a brand or company that is known/familiar to me Website has a familiar domain extension (like .com, .gov, .edu, .org) Website is recommended by friends/family Website has a large number of comments/ recommendations/ reviews on site Listing/link to the website appears on first page of search results Website has a large number of social media followers (i.e., Facebook, Twitter) None of the above
18
Q4: What factors increase your confidence in the safety/security of the websites you visit? (Please check all that apply) Bases: 10,000 qualified respondents
Positive past experience, brand familiarity, and familiarity with domain
extensions are key contributors to building consumer confidence in safety/
security of websites.
Having a familiar domain extension increases confidence in website security for millennials,
women, and parents.
Indicates respondents from this country are significantly more likely than peers in other countries to engage in this behavior online.
https://
Consumer concerns around
Internet security
Key highlights
• 56% of consumers not comfortable with the information they have to share to complete online transactions • Two third of respondents more worried than ever about online dangers
• 23% doing less online due to online safety concerns
• 64% of consumers are concerned that their credit card/financial information will be compromised within the next year, and a third within the next month
• Almost 40% believe Internet security policies for consumer protection should be set by a government agency • Consumers call for the government to mandate companies do more to protect information online
Consumers are clearly willing to share information online to complete transactions. That’s why e-retail is such a booming industry. But the majority (56%) are not comfortable doing so. We’re unlikely to see a industry-wide shift in the amount of information required to process transactions. But companies should take note and understand the anxiety felt by many consumers, and focus on being transparent and empathic during financial transactions.
20
While consumers’ online behavior demonstrates a willingness to
share information online to complete desired transactions, the majority
of consumers note they are not comfortable doing so.
9% 8% 6% 4% 33% 33% 25% 13% 27% 22% 23% 26% 19% 21% 27% 25% 13% 16% 20% 31% I share more information online
than I often feel comfortable or intend to share. I’m comfortable sharing my financial details and completing financial transactions online. I’m comfortable sharing my personal details (name, address, phone, DOB, mother’s maiden name) online. My information is already in the public domain therefore I don’t
care either way. 17%
42%
31% 41%
Attitudes about sharing information online
Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree
15% 41% 26% 13% 5%
To complete online transactions I often must share information I would normally not feel comfortable sharing online.
% Strongly/ Somewhat Agree
How comfortable consumers feel about sharing information does differ
markedly between the UK and US. Our US respondents were significantly
more likely than those in the UK to express discomfort
.
58% To complete online transactions I often
must share information I would normally not feel comfortable sharing online.
43% 45% 33% 17% 54% 41% 37% 28% 18% I share more information online than I
often feel comfortable or intend to share.
I’m comfortable sharing my financial details and completing financial transactions online. I’m comfortable sharing my personal details (name, address, phone, DOB, mother’s maiden name) online.
My information is already in the public domain therefore I don’t care either way.
21
Q5: Please rate your level of agreement with the following statements about sharing information online.
Bases: 5,000 US respondents, 5,000 UK respondents * Significantly higher than comparison group at the 95% confidence level
US respondents are significantly more like than those in the UK to express
discomfort sharing information online. UK respondents are more often
comfortable sharing financial details and personal information to complete
online transactions, but even among those in the UK it is a minority opinion.
United States United Kingdom
Attitudes about sharing information online
22
Roughly two-thirds of respondents are more worried now than ever about
protecting their personal/financial information online, with the same number
expecting security breaches to get worse over the next year.
24% 25% 24% 16% 41% 38% 37% 27% 23% 26% 33% 39% 10% 9% 5% 13% 3% 2% 2% 5%
I’m worried about getting my credit card/financial information stolen online. I am more concerned about security online now than I have ever been. Security breaches will get worse in the next year. My credit card and personal information is less secure now than it was 1 year ago.
% Strongly/ Somewhat Agree
65%
60% 62%
Internet security: concerns
Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree
Q6: Please rate your level of agreement with the following statements about internet security. Bases: 10,000 qualified respondents
43% This worry around transacting online has reached a peak. Roughly two-thirds of respondents are more worried now than ever before about protecting their personal and financial information online, with the same number expecting security breaches to get worse over the next year. Whether this is born out of media hype, or first-hand experience, it’s a clear message to online businesses. Security is moving up the consumer agenda.
23
The tendency to conduct transactional activities online is mostly unchanged
despite security concerns, however there is a high level of awareness
regarding the need to do more to protect their data and widespread
understanding of the steps required to protect themselves online.
22% 17% 7% 42% 45% 16% 27% 24% 29% 7% 12% 33% 2% 2% 15% To be fully secure online I know
I need to do more to protect myself.
I know what steps I should take to protect myself more online.
I am doing less online (e.g. banking, shopping) now than I used to because of my concerns with online security.
Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree
Q6: Please rate your level of agreement with the following statements about internet security. Bases: 10,000 qualified respondents
% Strongly/ Somewhat Agree
65%
62%
23%
Internet security: concerns
But interestingly, this isn’t stopping consumers from transacting online. However, consumers are well aware that they need to do more to protect their personal data. They also believe they know the steps they need to take to achieve this.
Worryingly (for the e-retailers) almost a quarter claim they are transacting less online due to concerns with online security. This is evidence that security is affecting behaviour.
The pictures does differ slightly when the US and UK are split up – with more consumers in the US reporting security concerns, as well as being quicker to realise the need to do more to protect themselves.
58% 64% 18% 61% 55% 51% 32% 68% 70% 69% 54% I’m worried about getting my
credit card/ financial information stolen online. I am more concerned about security
online now than I have ever been. Security breaches will get worse in the next year. My credit card and personal information is less secure now than it was one year ago.
71% 61% 28%
To be fully secure online I know I need to do more to protect myself. I know what steps I should take
to protect myself more online. I am doing less online (e.g. banking,
my concerns with online security.
Q6: Please rate your level of agreement with the following statements about internet security.
Bases: 5,000 US respondents, 5,000 UK respondents * Significantly higher than comparison group at the 95% confidence level
US consumers are significantly more likely than those in the UK to
report online security concerns and are also more likely than UK consumers
to know they need to do more to protect themselves online.
United States United Kingdom
Internet security: concerns
Top 2 Box: Strongly/Somewhat Agree
But the results regarding data breaches make for grim reading.
A massive 64% of consumers are concerned that their financial
information will be compromised within the next 12 months
because of the recent spate of online data breaches.
Amazingly, a third think it will happen within the next month.
I am concerned that my credit card/financial information will be compromised because of online data breaches
29% 4% 13% 18% 11% 10% 15% Any minute Next month Within the next six months Within the next twelve months Within the next three years Within the next five years Never
25
Q7: I am concerned that my credit card/financial information will be compromised because of online data breaches:
Bases: 10,000 qualified respondents, 5,000 US respondents, 5,000 UK respondents * Significantly higher than comparison group at the 95% confidence level
Six out of ten consumers are concerned that their credit card/financial
information will be compromised within the next 12 months because of online
data breaches; a third think it will happen in the next month.
33%
31%
21%
15%
Immediate Short-term Long-term Never 38%* 32% 17% 13% US 28% 31% 24%* 17%* UKMany argue that businesses have an ‘it won’t happen to me’ attitude when it comes to data breaches. But, consumers are growing more concerned about the safety of their information.
Policies for Internet security for consumer protection
should be set by
38% 34% 24% 3% Government agency Independent overseeing body Individual companies None should exist/no one 27Q8: Policies for Internet security for consumer protection should be set by: Bases: 10,000 qualified respondents
Consumers hold companies accountable for data security
and look to government agencies or an independent overseeing
body to do more to protect consumers.
Those that think their online security will be compromised immediately, are more likely to think a government agency should set policies.
Those that know little or nothing about the change in domain extension are more
likely to think an independent overseeing body should set policies while those that know a lot think individual companies
should set policies.
Indicates respondents from this country are significantly more likely than peers in other countries to engage in this behavior online.
Currently the responsibility for a safe online experience hasn’t been grasped by anyone in particular. There are parts that consumers can handle – such as strong passwords – while certain elements can only be addressed by businesses, such as their internal security processes.
Our study found something new: consumers want a government agency to ensure businessses are accountable.
Interestingly, those that think their online security will be compromised
any day are more likely to think a government agency should set policies.
Clearly they don’t believe the current system is up to scratch.
39% 42% 16% 3% 37% 27% 32% 3% Government agency
Independent overseeing body
Individual companies
None should exist/no one
UK consumers most strongly believe an independent overseeing
body should set policies for internet security while US consumers
put more emphasis on individual companies.
United States United Kingdom
Policies for Internet security for consumer protection should be set by
Q8: Policies for Internet security for consumer protection should be set by:
Bases: 5,000 US respondents, 5,000 UK respondents * Significantly higher than comparison group at the 95% confidence level
NEW
The picture switches somewhat when we look individually at the US and UK. UK consumers strongly believe an independent overseeing body should set policies for Internet security, while US consumers put more emphasis on individual companies. Although there have been a number of high-profile data breaches in the US in recent years, they do have a more stringent disclosure policy – and companies often offer credit monitoring when their customers are affected.
29
Regardless of who sets the policies, 4 out of 10 consumers feel the
government is not adequately regulating the use of consumer data online.
Consumers admit feeling overwhelmed with security options and call for the
government to mandate companies do more to protect information online.
67% 56% 38% 12% 5% 21% 29% 36% 32% 16% 11% 13% 19% 37% 39% 1% 2% 4% 15% 27% 1% 1% 3% 5% 12%
Companies that use personal and financial information online should compensate consumers financially if they lose that information because of
data breaches.
The government should mandate that companies do more to protect all information companies’ use or
store online.
I feel overwhelmed with the security options & messages online regarding security. The government is adequately regulating the online
security of companies that use personal and financial information online.
Regulation of online transactions and Internet security
Q9: Please rate your level of agreement with the following statements.
Bases: 10,000 qualified respondents
% Strongly/ Somewhat Agree 22% 88% 84% 44% 75%
Strongly agree Somewhat agree Neither agree nor disagree Somewhat disagree Strongly disagree Companies should be legally obligated
to disclose security breaches.
But regardless of who sets the policies, 40% of consumers feel the
government is not adequately regulating the use of consumer data
online. Consumers admitted to feeling overwhelmed with security
options and call for the government to mandate companies do more
to protect information online.
Conclusion
This study has shone a light on how
consumers are reacting to the growing
online security threat.
We see headlines every week of
customer data being stolen from
companies big and small. And we know
that consumers are doing more and more
online – from spending on retail to sorting
out their health insurance.
Up to now it didn’t seem that one affected
the other. But we’ve shown that customer
confidence has been seriously damaged.
For those businesses that hold data
online it’s a clear indication that security
needs to be prioritised. Consumers will
return to the brands that they trust to
keep their data safe.
About NCC Group
NCC Group is a global information assurance firm, passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.
Through an unrivalled and unique range of services, the company provides organisations across the world with freedom from doubt that their most important assets are protected and operational at all times. Listed on the London Stock Exchange, NCC Group is a trusted advisor to more than 15,000 clients worldwide, including over 90% of the FTSE 100. NCC Group has the largest security testing team in the world.
Headquartered in Manchester, UK, NCC Group has 20 offices across the world and employs over 1,000 people.
NCC Group delivers security testing, software escrow and verification, website performance, software testing and domain services.
www.nccgroup.trust
About .trust
.trust is a unique generic top-level domain (gTLD) from NCC Group that will provide a safer and more trustworthy Internet. The .trust gTLD signals that a site is a safe website to interact and do business with. Organisations using .trust domains will be required to comply with rigorous security policies in order to prevent the use of .trust domains for malicious activity. A continual process of security review and improvement will help ensure those sites stay in compliance with .trust requirements.