Often, when a hacker sets their sights on an organisation, the first thing they target isn’t a high-tech exploit or backdoor; it’s human error. Perhaps an employee uses an unsanctioned device, sets a weak password, or responds to a fake email. These are all openings that hackers can exploit.
No matter how ironclad an organisation’s technological defences are, there is always the chance that an unwitting human being can be manipulated to willingly open the gates to an attacker – a so-called “social engineering” attack. These attacks underpin the three most common types of cyber risk to the retail industry: financial fraud, phishing, and malicious spam.
The retail industry is a popular target for cyberattacks, and employees are constantly at risk of contact with malicious actors. In fact, the industry is the victim of 32.4% of all successful cyberattacks every year. Given that retailers hold valuable, sensitive data on customers, it’s no wonder why the sector is targeted. This is especially true for the ecommerce businesses that were catapulted to new heights by the pandemic and have become prime targets for cybercriminals.
To successfully defend retail businesses against increasingly sophisticated attacks, we must first understand the state of the industry. This article uses data from Impero’s recent cybersecurity survey of 400 UK retail employees to develop a comprehensive picture of the sector’s current approach.
Today’s employees are highly connected
Technology is a fundamental part of modern retail, and employees are engaging with a variety of devices constantly as part of their job. Nearly half (48%) use more than three different internet-connected devices at work on a regular basis.
The specific devices that retail employees use depends on the nature of their role – those in online retail will have different needs than those working in-store, for instance. Overall, popular devices include laptops, which are used by 62% of employees, mobile phones (45%) and tablets (39%). Similar numbers also use payment card machines (48%), scanners (39%) and point of sale machines (34%).
The addition of more connected devices into an environment means that there are more potential entry points for cybercriminals. Further, a broad variety of devices places additional burden on IT teams, as they must ensure that each device is working properly and has received the latest security patches.
Employees are aware of the risks
Retail employees consider cybersecurity an important part of their role, and 41% said they would consider leaving their job if they were responsible for a major cyber incident. Relatedly, a quarter of employees feel worried about the possibility of being involved in a future incident. While a healthy level of caution is reasonable, that so many employees feel worried suggests that the current level of training and support isn’t going far enough.
Shockingly, one in five retail employees have already been involved in at least one data security incident – a wakeup call for businesses which mistakenly assume that “it won’t happen to us.” In today’s landscape, cyberattacks are a real and widespread threat, and countering them requires constant vigilance at every level of the organisation.
Personal devices are popular – but not necessarily secure
Today, more than half of retail employees (57%) access company systems and data from their personal devices, often smartphones. However, almost three in ten say their company doesn’t strictly enforce a security policy for using personal devices at work – or that they simply don’t have a security policy.
This is a major issue. Organisations which do not have a security policy (or which do not enforce it) are extremely vulnerable. If an employee’s phone is compromised, either virtually through hacking or physically through theft, the sensitive contents can easily fall into the wrong hands.
However, retail employees value being able to use their own devices – 40% of employees consider a “bring-your-own-device policy” as important to their employee experience. Because of this, it may be infeasible to ban personal devices altogether.
Instead, organisations should maintain a robust security policy, ensuring that each employee device which accesses the network has up to date defences. Organisations must also provide cybersecurity training to employees to ensure that they maintain best practice on their personal device and do not put company data at risk.
Employees lack confidence and tools for cybersecurity
A significant majority of retail employees (68%) do not feel confident recognising and reporting cybersecurity threats at work. This should be a major red flag to the entire industry, as employees are the first line of defence against threats.
The move to remote working by some employees has also increased their unease, with 32% of hybrid workers expressing that the change increased their concern about maintaining cybersecurity. The natural solution here is more support and training on how to conduct remote work securely, something which one in three respondents called attention to.
Even more concerning, fewer than half of employees have access to critical security tools. Just 41% of employees are required to use multi-factor authentication, and the same number have access to secure remote access software and virtual private networks through their employer. Retailers must address these shortcomings and provide their employees with the tools they need to keep their business safe.
Working together to keep the business safe
Ultimately, cybersecurity requires the harmonisation of people, processes and technology. A shortfall in any one of these three areas is all that a hacker needs to gain access to a retailer’s system, and once in the door, they can do untold damage.
It’s up to decision-makers to establish and enforce clear, robust processes on device usage and to implement appropriate technology, but the human side of cybersecurity requires commitment from every employee. If businesses want to keep their data safe and their brand away from negative headlines, they need to focus on improving cybersecurity awareness and behaviours amongst the entire workforce – from the C-suite to customer service.
Justin Reilly, chief executive officer, Impero Software