Retail is in an interesting place, riddled with contradictions. For some, it’s a well-established fact that physical shops would do well to avoid the death of the high street and move online.
Look at the recent news surrounding Toys R Us, Littlewoods and Carpetright – although some within the space, such as this author at Forbes, thinks the opposite. Profits are reported rising and then fall again.
For most though, it’s clear that an online presence is vital for a successful business. And data forms the very core of the omnichannel experience. Consumers are no longer happy to be offered the same as everybody else; data needs to be used to build a profile, tailor offerings and retain details of customers, allowing precious time to be saved and the process of online shopping made as smooth as possible.
But, if retailers are increasingly jostling for space, needing to keep their competitive edge through digital channels, applications and payment details, how can they ensure they remain secure and compliant?
For those in retail, it’s not as simple as just getting the basics in place and relaxing. A recent report into sectors most targeted by hackers showed that retail, with 13% of all attacks, was the most threatened sector. The number of attacks faced in the last twelve months was also up 30%; the problem is getting worse.
And so too are the repercussions. The GDPR has arrived, the stakes, not just for retailers, but all businesses with European staff and customer information, are more severe than thought to be. There is a separate debate to be had about education around GDPR and the way in which the regulations are currently framed, but, despite there being an incremental ramping up of sanctions under GDPR, it still needs to be taken extremely seriously.
It’s clear as to why the sector is so targeted, with retailers quintessentially businesses almost entirely set up around the transaction of goods and payments (often through electronic means), but there is less understanding around just where exactly these threats can come from. Much of this confusion comes from the different avenues through which these attacks take place.
These avenues are becoming increasingly sophisticated. What’s fundamental to this area is that, for all intents and purposes, the idea of the perimeter around a digital or omnichannel retailer no longer exists.
As the workplace has moved forward and become more flexible, so too has the concept of being ‘inside’ and ‘outside’ a network. Remote offices and workers, mobile technologies, cloud storage, collaborative documents, the ease of file-sharing; all of these mean that people define the perimeter of any business – not just retailers – with an online channel.
This means that attacks can come from any angle; a point made none more so apparently than the fact that an insider attack can originate from outside the network. If a phishing attack resulted in a valid login of an employee being shared, and this used to remove sensitive customer data from a retailers’ database, an insider threat has taken place from outside of the network. This means that retail organisations need to understand how information is shared and accessed in modern business, from a multitude of devices and anywhere with an internet connection.
It also means that a clear set of policies, standards and best-practices need to be agreed upon and reinforced with third parties. Retailers often operate in a complex supply chain; a supply chain that can be climbed by an attacker, moving from the bottom of the food chain upwards throughout other connected businesses. Therefore, technology and education need to be in place with key suppliers, distributors and third parties just as stringently as within the owner’s own business.
Let’s start with the technology that must be used. In essence, what any business needs is visibility throughout a network, allowing them to catalogue and analyse any anomalous behaviour. This technology, known as user and entity behaviour analytics (UEBA), tracks what users are doing and how data is moving, flagging if user or data behaviour differs from what could be considered reasonable and safe. Whether authorised or not, employees can put data and systems at risk.
With our example from earlier, a hacker that’s tricked an employee into divulging their credentials can move cloud data laterally from different applications to a cloud system, designed to withdraw the data afterwards surreptitiously.
A recent survey found that hackers can exit a network within 15 hours, armed with prized data, so it’s vital to spot a compromised account before it’s too late, all the while collecting a log of information and evidence to inform.
The second area to get right is training. Training needs to be more than just PowerPoints – it should be interactive, incentivised and, most importantly, made applicable to the day-to-day lives of the team, whether they are on the shop floor or at head office. Show them just how quickly an issue could arise, and the lessons will stick. Penetration testing can be a viable way of both testing your technology’s limits and also highlight the multitude of ways an attack could be planned, showing those that are less digitally-savvy in your organisation that there is more to the area than suspect links to not be clicked.
Leading on from this is the way in which senior leadership engages with cybersecurity as a topic. Long seen as the sole dominion of the IT team, this no longer flies, with shops, head offices or online distribution centres as part of a retailer’s setup. From smaller, one-location retailers through to international organisations with branches numbering into the 100s, those at the top of the business need not just to understand cybersecurity but also drive forward a culture of rigorousness and best practice. Only through this top-down approach will a shift in attitude towards staying safe through online channels to permeate.
For those in the retail sector, the advent of online channels, hosted software and the increasing appetite of the public to purchase via the internet means that there is a massive opportunity for those that get their digital strategy right to thrive. However, it’s important to remember that this strategy must incorporate cybersecurity at its core. Because, with an unlocked back door into your network that no one is checking, it’s all too easy for retailers to open up in the morning and find a digital break-in.
Author: Dr Jamie Graves, chief executive officer and founder at ZoneFox
Image credit: Fotolia