The retail sector has evolved dramatically over the last ten years. Even the most traditional brick-and-mortar stores have embraced social media, automation and e-commerce. However, as retail has transformed, so too have the threats it faces. As the holiday season approaches, retailers must ensure they have the right solutions and processes in place to keep their infrastructure, staff and customers secure.
This is not to say cyber security efforts should be focused on one season—security in an ongoing, year-round exercise of continuous improvement, but if retailers are concerned about the maturity of their security posture, then now might be the most critical time to act. Both anecdotal and historical evidence indicates threat actors are more likely to target retailers during the festive season.
For example, in November 2019, US department store Macy’s sent a data breach letter to customers, explaining Magecart had successfully deployed card-skimming malware on its checkout and wallet pages, just as Black Friday began. This malware enabled Magecart to capture customers’ credit card information as they placed orders.
Why retailers are vulnerable to cyber security incidents
Like all sectors, retailers realise the potential of data, analytics and artificial intelligence (“AI”) to improve the customer experience and back-end operations – via personalised marketing, predictive fulfilment or last-mile delivery. As retailers continue to increase their reliance on data, cyber security has become pivotal.
UK retailers fall within the scope of the UK Data Protection Act and UK General Data Protection Regulation (“GDPR”), which both mandate strong safeguards to protect data and penalties for those who fail to protect it. This makes the stakes higher than ever for retailers – as a security incident could also lead to a costly fine that is up to 4% of annual turnover or results in reputational damage.
The last year has been a difficult one for retail, with the impact of COVID-19 being harshly felt, particularly for mainstay physical retailers. As demand for e-commerce offerings has increased, many retailers have moved towards omnichannel models, blending their offers between the physical and digital realm. This multi-faceted end-customer experience is, again, dependent on data. Consumers are putting trust in retailers to handle their data lawfully, ethically and securely: a break in this trust, brought about by a security incident, could lead to a long-term loss of loyalty.
Moreover, retailers need to recognise that even if their own infrastructure is secure, a security incident in a supplier or partner could lead to them becoming collateral damage. Supply chain attacks are becoming increasingly common, meaning retailers must focus not only on bolstering their defences but ensuring their supply chain is secure too. You can read more on this topic in our guide to supply chain security.
Indeed, as data have become more intrinsic to retail operations, cyber security has become equally essential. Therefore, having both preventative and response measures in place is paramount. Retailers must create an ongoing cyber resilience strategy aligned to business and operational objectives. Data is becoming (if it isn’t already) a highly valuable asset for retailers – but it is also a highly coveted asset to threat actors.
Steps to take
There are several actions retailers can take to improve their cyber security posture – both for the festive period and year-round. To begin with, we suggest reading the National Cyber Security Centre (“NCSC”) and British Retail Consortium’s joint cyber resilience toolkit for retailers. The toolkit contains step-by-step guidance aimed at helping retailers build a strong cyber security strategy.
We also advocate completing the NCSC’s flagship standard, Cyber Essentials, which provides five foundational steps for adequate protection. A step further would be to achieve Cyber Essentials Plus, which requires a qualified, independent assessor to validate that these five steps are in place. For supply chain security, the NCSC offers 12 principles, designed to enable effective control of the supply chain. Other broad cyber security standards to consider are ISO27001 or the NIST Cyber Security Framework.
Retailers must also prepare for the worst-case scenario. They need to have a plan to help them respond to a security incident in a calm and timely manner. We have written a guide on incident response planning to help with this.
As well as focusing on their own cybersecurity protections, retailers must also remember their customers. Phishing emails, malvertising, and phone call fraud are all popular tactics threat actors use during the festive period. Often, they will disguise their attempts as Black Friday or Christmas retail offers.
To help their customers stay safe, retailers should make an effort to educate their customers on fraud and explain, in clear terms, what genuine communications from their marketing or sales teams will look like. Taking this step will protect customers and improve customer trust in the business.
If you are a retailer looking for assistance with cyber security, please get in touch with our friendly team today.