Sign up for our newsletter
Technology / Cybersecurity

Cyber Risk in the Retail Sector

The retail sector is on the cusp of transformation with advancements in the Internet of Things (IoT), big data, cloud, robotics and artificial intelligence (AI). Consumers are becoming increasingly connected as new sales platforms and marketing techniques flood the industry. However this plethora of innovation brings with it a darker risk.

Sam Millar, Litigation and Regulatory Partner at DLA Piper

Retailers now store more consumer data than ever before across an increasing range of digital platforms, providing cybercriminals with more data to target and more doorways to access them. As retailers invest in technology to collect and exploit new and existing customer data, there is a corresponding rise in the need for them to navigate the regulatory issues unique to this technology and to maintain effective systems and controls to ensure the security of the collected data.

There has been an abundance of change in the retail sector within the last decade. Arguably the most significant of these changes is the evolution of digitalisation.

With the emergence of the Internet of Things and the development of ‘smart’ devices, anything and everything from mobile phones to televisions are now ‘online’. This greater connectivity has led to consumers demanding faster access to a wider variety of products and has provided retailers with the opportunity to offer new sales platforms and more targeted marketing strategies.

White papers from our partners

Retailers Have Vast Quantities of Data

Retailers have recognised the rise of the digital world and are embracing it.  A significant benefit that accompanies this digitalisation is the opportunity to collect and exploit customer data.

Loyalty schemes, software application downloads and online registrations all allow for the collection of vast quantities of data, from names, addresses and telephone numbers to clothes sizes and purchase histories.  In return, consumers receive the benefits of personalised advertisements, offers and products to match their preferences.

The analysis of data can also be used to improve the efficiency of the supply chain; this has been seen through the experimental use of Blockchain through which transactions can be more securely and transparently tracked.

Laura Ford, Legal Director at DLA Piper

These efficiencies ultimately lead to lower prices for consumers as production costs are reduced. The future prospects are exciting too, with research and development currently taking place in areas such as driverless cars, augmented reality, facial recognition software and robotics. The benefits of which include new opportunities for reduced travel and delivery times, payment transactions, improved safety and greater accuracy and efficiency in manufacturing supply chains.

Whilst these innovations offer great opportunities, the associated collection and storage of data comes with increased risks. Publications by  PricewaterhouseCoopers show there was a 30% increase in the prevalence of cyberattacks in 2017 and that cybercrime is the most common type of fraud reported in 2018.  In recognition of this growing threat, the UK Government’s National Cyber Security Strategy has committed £1.9 billion of funding to defend against cybercrime for the period 2016-2021. Many large corporations are also taking action, tasking their c-suite executives with responsibility for implementing cybersecurity defence initiatives.

IT infrastructures have become more and more complex in recent years with cloud computing, mobile and remote working. Cybercriminals target weaknesses in the interconnectivity of these networks, with a defect in one device providing a portal to the others. Data breaches are complex affairs, often involving a combination of human factors, hardware devices, exploited configurations or malicious software. Cybercriminals have developed a wide range of methods to access data held by retailers, including web-application attacks; attacks on point-of-sale environments leading to payment card data disclosure; denial of service attacks such as physical disruption to elevators in stores or disruption to online sales platforms and payment card skimmers, to name a few.

Data breaches have tremendous detrimental effects on retailers, including heavy fines under domestic and European legislation and significant profit losses stemming from the disruption to operations and the loss of customers. The retailer’s brand will be impacted, with the brand name and the breach becoming interlinked.

What can Retailers do to Help Prepare for a Breach?

Adopting a program of Active Cyber Defence by engaging security analysts and implementing security measures to strengthen their systems against attack is a key first step. Data classification schemes and retention programs can increase the visibility of the data held, and the adoption of a data breach plan allowing the retailer to identify any breach and respond to it quickly and effectively is crucial.  Engaging in targeted employee training, reducing the complexity of IT systems and investing in regular, ongoing security analysis are also key preventative measures.Cyber Risk in the Retail Sector

 

If the worst comes to the worst and an attack occurs, some simple steps can help to limit its impact. Change the passwords to accounts which have administration rights or access to sensitive information. Pull the plug of affected PCs, when the attack takes the form of ransomware, in order to avoid the spread of the data breach. Engage security experts as soon as possible, take legal advice on notification requirements and engage PR support to manage any media fallout. And finally, take whatever steps may be necessary to preserve customer trust and loyalty in face of the breach.
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.