GUEST COMMENT Building effective cyber defences in retailing
Alison Wiltshire is global practice lead, retail and consumer Goods at BT.
It’s no wonder retail brands are especially attractive targets for cyber and ransomware attacks. Digital transformation in stores, in customer interactions and throughout the supply chain mean retailers are not only collecting a treasure trove of valuable data but are also dramatically expanding the surface area for cyberattacks.
In just one year, the number of retail businesses reporting data breaches to the UK Information Commissioner's Office has doubled, jumping from 19 in 2015/16 to 38 in 2016/17, according to London based law firm RPC. As we move faster and faster into the digital economy, retailers need to continuously rethink the risks to their business. Innovation cannot be at the expense of security. Good cyber security must be built in at the beginning and at every level of operation and customer interaction.
The security challenges for retailers are significant
In the race to catch up with pure digital competitors, traditional retailers are adopting new technologies both in store and online. There’s a big uplift in the number of devices, or ‘end points’ on the corporate network, providing criminals with many more potential points of entry. Research by Thales reveals that 80% of retailers (outside the US) are deploying new technologies such as cloud, big data, IoT and containers before they have security in place to protect them.
Retailer and retail brands are capturing more data on shoppers than ever before. From monitoring shopping behaviour online to tracking activity in the physical store, retailers know more about their customers than ever. Shoppers increasingly trust retailers to store their payment and personal details and the consequences of a data breach can be severe for the individual customer. And we all know how damaging financially and reputationally it is for the retailer.
In the constant pressure to get new products, services, offers and campaigns to market as quickly as possible, it is easy to overlook or underestimate their security implications. The imminent wave of smart consumer products will exacerbate the problem. Earlier this year the New York Times reported that a Canadian manufacturer of smart sex toys had to pay $3.75 million to settle a lawsuit after it emerged that the company had violated consumers’ privacy by collecting personal usage data.
The bulk of many retailers’ sales come in a concentrated period, such as Black Friday, Christmas and other key holiday periods. If they fall victim to a ransomware attack around those peak shopping days, they may feel under pressure to simply pay up, rather than lose a huge proportion of revenue and profit.
Historically, retail has been a relatively siloed business, where individual stores or sales operations work almost like independent businesses. However, as retailers move towards an omnichannel model, the very process of joining up back office systems and aggregating multiple data sources can create gaps in the infrastructure that leave businesses open to security threats.
Increasing regulation, such as the EU General Data Protection Regulation coming into effect in 2018, places great responsibility on the retailer to protect personal data. Failure to comply will trigger a fine of up to four per cent of annual global revenues.
Cybercrime is now a fact of life and, as so often in life, there is no one magic solution. But there are some clear steps that will help retailers protect their customers and their business in the digital age:
Certainly, digital transformation creates new risks, but there is no reason why the retailer cannot use existing risk management strategies and processes. Beating cybercrime means going beyond basic controls and routine responses. It takes thinking about ‘what if’ (including extreme scenarios), rehearsing the crisis plan, carrying out war games. Getting ethical hacking teams to test defences. This work also gives the retailer a much better understanding of its risks, and enables it to further refine responses.
In any industry, employees should be a front line of cyber security defence. The retail sector is characterised by a high number of often transient employees – especially at peak periods – and it is difficult to train and instil a culture of security behaviour in a constantly churning workforce. However, digital employee tools and techniques will give retailers new ways to communicate and educate associates about their role in preventing cyber crime and protecting customer data.
One of the lessons retailers can learn from the financial services sector is the importance of sharing information and experience with industry peers. No one is immune from cyber threats but by collaborating and working together, businesses can make it much harder for criminals to be successful. This is also the principle behind the government’s Cyber Security Information Sharing Partnership (CiSP).
Of course, technology has a role to play but what matters is choosing relevant technology defences. Many cyber attacks are fairly unsophisticated and will be repelled by basic good housekeeping like keeping software up to date. Time to detection is a good measure of cyber defence effectiveness. Currently, the average time to detection in the retail sector is six months for the retail sector whereas for IT company Cisco it is six hours.
Successful retailing is about trust and that’s not going to change in the digital world. As retailers collect progressively more personal data from customers in order to deliver a personalised/individualised shopping experience, the impact of a breach can be highly emotive. Savvy retailers will understand that this is a new opportunity to differentiate themselves through the robust security they wrap around customer data and transaction.
Finally, let’s accept that this is not a new problem: retailers have always had to defend their business against amateur thieves and professional criminals - it’s a business problem, not a technology problem. So retailers must approach cybersecurity in the same way they approach all security: with a clear understanding of the threats, the implementation of appropriate defences and the interests of the customer at heart.
Photo credit: WrightStudio