It’s a familiar sight – the uniformed security guard patrolling the store on the lookout for shoplifters, ready to spring into action to stop thieves from getting away with the goods. Retailers have long known the value of proactive security to prevent loss and act as a deterrent in the real world. However, it seems that in the virtual world the retail security guard is out of shape, unable to keep up with the almost continuous threat of cyberattack. In a recent A10 Networks global survey 29% of participants felt that the retail sector is the least prepared to respond to cyberattacks. This was far higher than sectors such as finance and government. Why is retail so vulnerable and what are the challenges to overcome so that customers can shop in safety?
Sale of the century for cybercriminals
The retail sector is a seductive target for cybercriminals. High transaction volumes, including spikes at predictable times such as the holiday season and Black Friday, offer plenty of opportunities for fraudsters to get in amongst legitimate purchasers and make a profit. Beyond direct fraud, the vast quantity of customer data collected by retailers is of immense value to cybercriminals, who offer it for sale on the deep and dark web. The sector is also a target for hacktivists looking for notoriety; bringing down a major retailer’s site with a DDoS attack over the holiday season will certainly make you famous.
Attacks on the retail sector are on the rise. PWC recently found that attacks globally were up by 30% year on year and the number of serious data breaches in retail firms reported to the UK Information Commissioner’s Office (ICO) has doubled. In a climate where customers are increasingly aware of the importance of privacy and the risks of identity theft, this statistic is a big problem for retailers. A report by MediaPro found that 84 percent of shoppers would change their shopping habits if a retailer experienced a cyberattack, with 49 percent saying that they would be unlikely to buy from that retailer in future. In the fast-paced world of online retail, this reputational damage can cost millions. On top of this, the implementation of the GDPR in 2018 is going to make the financial consequences of data losses far heavier, with organisations facing fines of up to 4% of annual turnover should their management of customer data be found to be in breach.
Key challenges for retail
Retailers have an enormous incentive to gather customer data to drive sales and marketing programmes. They are less heavily regulated than sectors such as finance or government so the drive to put data security first is not so strong. However, as they respond to competitive pressure to develop multichannel shopping experiences and offer customer-enticing loyalty schemes, so they also create more potential points of attack and opportunities for cybercriminals to take advantage. Evidence suggests that security systems are not evolving alongside retail innovations, with only 58% of retailers reporting that they have an overall security strategy in place. This needs to improve if the sector is to protect itself from cyberattacks of increasing frequency and sophistication. As they take advantage of the efficiencies and scalability of cloud and other technologies, retailers need to be confident that their systems can detect and neutralise malicious activity and protect customer data as it is transferred around the organisation.
Another challenge lies in the fact that retail is staff-intensive. People can be security’s best asset or its biggest weakness, but in the UK government’s 2017 cyber security breaches survey, only 33% of retail executives believed that core staff took security seriously. This figure compared with 63% in the finance industry – perhaps an indication of the stringent regulations governing that sector. Staff turnover in retail is generally higher than in other industries, so it can be a challenge to keep on top of educating staff about their security responsibilities, but it’s not something that can be shirked as the consequences of poor practices can be severe.
Retail is an important part of everyday life and customers value ease of use and convenience very highly. But they also value their private information. If retailers are going to continue to be trusted by their customers, they need to get their security guards up to scratch in the virtual world as well as in the real one.
By Mike Hemes, Regional Director, Western Europe, A10 Networks