In my last blog, we established that retailers are a very attractive, and lucrative, target for hackers, and that cyber attacks on retailers are rising exponentially. To recap, a resounding majority (72%) of retail executives surveyed by Retail Week had witnessed a significant increase of cyber-attacks in the last two to three years and almost two thirds (64%) of those had personally experienced a breach.
Reassuringly, the scale of the problem seems to be recognised at board level, with almost 8 out of 10 retail executives agreeing that information security has enough visibility in the board room. Indeed, the area is now being specifically covered in the annual reports of the largest retailers.
However, it appears that understanding of the subject is often limited, with nearly half (46%) of retail executives believing their leadership “does not understand at all” and less than a third (30%) believing they “sufficiently understand”. This rather worrying position mirrors knowledge about technology overall, with cyber security competing – and often losing – against digital strategy in the battle for focus and budget.
“Ignorance to cybercrime is only matched by ignorance to technology in general”
Miya Knights, Global Technology Research Director, Planet Retail
So, what are the best defences the retail industry can employ against the real and present danger of the cyber criminals with designs on their data? Here are our top 5:
#1 Security focus: IT departments must become more focused on security and dedicate resource accordingly, in some cases (particularly larger retailers) establishing and continually investing in a dedicated security operations function, mapping people and processes to security and ensuring compliance is maintained. It should involve regular live threat simulations so that the security function can assess its effectiveness in stopping or limiting the impact of attacks.
As Mike Tyson said, “Everyone has a plan ‘til they get punched in the mouth”.
#2 Education: A robust education policy is needed across all staff levels if retailers are to keep on top of the growing risks of cyber attacks. To be effective, this must be much more than writing a policy that employees sign as part of the on-boarding process and include regular engagement to keep information security front of mind.
#3 Dedicated budget: Industry experts estimate that 3-4% of sales should be allocated to IT, of which up to 20% should be allocated to information security. Yet retail executives report that this figure is not always ring-fenced and a quarter of businesses surveyed had no budget allocated for information security whatsoever. Retailers must allocate sufficient budget to prevent and minimise issues as the cost of remediating them is much greater.
#4 Industry standard: The reticence among retailers to share information about cyber attacks means no written industry standard currently exists. Alongside the excellent work in this area of industry bodies such as the BRC, information security researchers including Cisco’s Talos division, continuously research and report exploits and vulnerabilities and share that information in cross-vendor forums, which many retailers benefit from.
#5 Innovation: The internet of things is creating more and more ways for consumers to interact with retailers, which means ever-increasing new endpoints and, therefore, potential weaknesses for hackers to attack. 70% of retailers believe the hackers are a step ahead of them in designing attacks and so all-round security strategy that takes advantage of industry best practice and technical developments is essential to defend yourself against the ever-prevalent threat.
Don’t be the next cyber-attack headline! To learn more about current cyber risks and information security practices in UK retail, download the Retail Week report “Tackling data breaches in modern retail”, sponsored by Cisco. Or visit our website to learn more about our security portfolio.