Analysis

GUEST COMMENT Retailers vs cyber criminals – The battle of wits and risk

The heat is on for retailers. Following an influx of cyber attacks in recent times, they must look to lower their risk in every way possible. An attack can cause lasting reputational damage, and businesses need to make sure they have the right safety net should the worst happen. But have retailers learnt lessons from the events of 2016?

Growing vulnerabilities

Over recent months, there have been many big brands who have become the victim of huge security breaches. Whether it’s Three, TalkTalk or Tesco Bank these are brands consumers know and use on a regular basis and the loss of data or access to of millions of customer records is a huge concern.

The retail industry is a desirable target for cyber-criminals. Last year saw a huge rise of ransomware and extortion attacks with 400% more breaches taking place in 2016 compared to the last – and over half of these attacks were targeted at retailers. Although the use of chip-and-pin as well as new methods such as contactless payments and digital wallets in Europe means that the theft of card details is less likely from a company’s network, the increased storage and use of customers personal details within loyalty programs, marketing and data analysis in combination with a rise in amount of sales being completed online mean that companies are still likely to process and store data. This is a goldmine to criminals.

Whether it is due to a clumsily coded website, through a partner’s weak security, or a breach of a loyalty programme – one high profile attack could mean huge financial and reputational loss in a matter of days for a retailer.
Lessons aren’t being learnt.

Interestingly it was the Target and Home Depot attacks in 2013 and 2014 that originally highlighted how cyber security is often more of an afterthought for retailers rather than an upfront consideration. Since these high profile attacks, there’s been a massive reaction from retailers to try and lower their cyber risk.

However, more needs to be done. According to recent research from Lloyd’s, which surveyed 346 senior decision makers across Europe, while 90% of retail businesses suffered a cyber security breach in the last five years with 54% of retail leaders starting to take responsibility as a result, only 42% are concerned another breach will happen in the future.

While it is reassuring that responsibility for cyber risk sits at the most senior level of the business, it is clear that firms are also too complacent when preparing for a cyber risk incident and believe the dangers of a breach won’t impact them again.

Increased regulation pressure

The pressure on retailers to make sure they’ve got cyber-security right will increase dramatically due to the new European regulations that will force businesses to be more responsive to cyber incidents.

The upcoming EU General Data Protection Regulation (GDPR) in particular, due to be implemented in 2018, will set rigorous requirements for any businesses that handle European consumers’ data. For retailers, this will be a big focus as businesses look to get plans in place ahead of the start date. The regulation will require businesses to report security breaches to their regulator within 72 hours and to affected citizens without undue delay. If organisations don’t comply, they will face fines of up to 4% annual worldwide turnover or €20m, whichever is higher for companies suffering data breaches.

However despite the implications, the Lloyd’s research revealed that over half of retail business leaders admit to not fully understanding the potential implications of the GDPR on their company. Only 6% revealed that they knew “a great deal” about the regulation.

Retailers need to realise that cyber-attacks can happen, despite the protection they put in place. It is about how businesses learn how to manage these events when they occur and what measures they have in place to protect their organisation and importantly, their customers.

Combatting today’s cyber-criminals

Now is the time for retailers to focus on securing their systems just as much as keeping them online – if up-time is a priority then security needs to be as well. There are four crucial steps for retailers to consider.

1. Identify the specific risks
Understand the ‘crown jewels’ of the organisation, these could be stored by the company or a vendor, and plan the most likely ways that a cyber incident could occur to put these at risk. Once created, these plans should be tested and updated regularly to mitigate these specific threats and ensure a smooth response to an incident.

2. Handle with care
With the shift towards data analytics for customer insights, the amount of sensitive data has increased exponentially in recent years. Ensuring that the storage of this data has a proper business case; is regularly purged to remove unneeded data; ensuring that this data is secured or anonymised where possible will decrease the risk and the cost in the event of a breach.

3. Engage employees
Many cyber incidents start with human error, from accidental disclosure to clicking on a phishing email. Awareness of these problems is a cultural issue with training driven by the top down and employees should be made aware of and trained on the threats they face.

4. Never stop learning
As digital technology continues to evolve, it’s important for organisations to evolve alongside it. By developing a culture of “continuous learning”, new and evolving threats can be built into a year round proactive approach to security.

5. Integrate cyber insurance as part of a cyber-security strategy
Cyber insurance offers more than just cover for any loss of income. It can not only provide a safety net but also access to IT, legal and PR services should the worst happen, especially on the biggest shopping days of the year, ensuring that a reputation built up over years is not destroyed in minutes.

Cyber incidents continue to have a huge impact on a business’ bottom line and reputation, especially in the retail sector. With sufficient planning and practice, even if a successful attack occurs it can be managed to minimise the damage and ensure that customers are satisfied with the company’s response. This will allow businesses to focus on meeting their customers’ demands, whilst ensuring their customer’s data and their reputation is secure.

Justyn Hardcastle is Lloyd’s underwriter at Tokio Marine Kiln

Image credits:
  • Lloyd's