Retailers of all sizes have recognised the tremendous opportunity the internet presents for conducting business. But this opportunity comes with great risk.

Cyber risk has now emerged as a high-profile problem; so much so, it has been escalated to third on the Lloyd's Risk Index 2013, which surveys C-suite and board executives to find the biggest threats to global business.

Given increasing volume of transactions and data available online, it is no surprise that valuable data is the target for increasingly sophisticated cyber attacks. Originating from organised crime, hacktivist groups and, sometimes, nation states, the objectives of these attackers are to make financial gain or to cause disruption.

A stark truth is that most companies are unaware that they have already fallen victim to an attack, as they have no means to detect them. Indeed many major retailers are being breached on a daily basis.

Despite these deep threats and seemingly clear warnings, many retailers continue to believe that their existing measures have this risk covered. Most still tend to regard cyber risk as an "IT problem" and miss the wider business strategy, as well as legal and cultural implications, that protection from cyber attacks requires. Unfortunately, as several major recent breaches show, this is not just an "IT problem".

2013 saw cyber security issues hit the limelight with recent breaches at major US retailers making the prime time news. With credit card details lost and customers affected in the tens of millions, these breaches have seen the CEO and board struggling to contain the PR backlash and assure customers.

Retail cyber breaches can be classified into two broad categories:

  • Denial of service attacks that take out internet-facing systems, resulting in eCommerce websites going offline or critical backend systems like payment systems being taken out
  • Data breaches that result in loss of sensitive customer data or credit card information.

While a large number of these attacks and breaches are perpetrated by outside hackers breaching a company’s defences, insiders like company staff and contractors have been responsible for a small number of very devastating breaches. Just last week, an employee at a credit ratings firm in South Korea is alleged to have sold the personal details of up to 20 million South Koreans to marketing firms. This incident resulted in 27 executive resignations, which included board members.

The cyber attacks have a huge impact on a retailer's reputation and customer relationships. Consequently we can see share prices becoming depressed, as well as increased regulatory attention and fines. In 2012, a breach involving a large payment processor saw a 12% fall in the company's share price within just a week of the breach going public. Remedial action could also see large legal and customer compensation bills.

A major problem is that the threat could come from a wide range of sources, from criminals accessing in-store point of sale terminals to rogue staff stealing data from outsourced call centres.

While IT systems are usually the conduit for these attacks, the solution is never just IT. The answer needs to be holistic and start from the top. Just as food provenance and supply chain integrity have become board level concerns, cyber security now needs the same focus because of the potential impact on brand reputation and trust.

Retailers need to recognise that senior executives must be more aware of cyber risks and that these risks and controls need to be taken into consideration as part of business decision-making. Organisational design to align responsibility, appropriate governance mechanisms in the form of policies and reporting channels, as well as staff awareness programmes, are all necessary alongside typical IT controls to embed cyber risk management capability within the organisation.

As retailers find new ways to exploit the internet for competitive advantage, the risk is being exacerbated. The increase in strategies that make use of big data, mobile, eCommerce, social media and digital marketing will continue to increase the opportunities for hackers to steal information.

At the same time, regulations for loss of Personally Identifiable Information (PII) are becoming more severe, with the EU proposing mandatory breach reporting within 72 hours and fines of up to 5% of global turnover. Retailers will, therefore, need to be able to demonstrate a high level of cyber attack awareness and readiness.

However, as consumers become more aware and start to value the security of their data, smart retailers could use improved security in handling customer information responsibly as a marketing differentiator and an enabler for business growth. Further good security hygiene would free up staff from fire fighting to focus on strategic objectives.

This new view on security as a differentiator will also allow a business to adopt new working paradigms such as different geographies, business and operational models.

The retail sector is long overdue in acting on the emerging issue of cyber risk. CEOs that are successful will jump ahead of the competition by sponsoring a proactive, enterprise-wide cyber security programme. It is now a necessity for retailers of all sizes to protect customer data at all levels of service. Failing to do so may leave the CEO answering some very awkward questions in the future.

Former Carpetright IT director Ian Woosey is a senior director at professional services firm Alvarez & Marsal. He will be writing an exclusive monthly column on cybercrime for Essential Retail.

http://www.alvarezandmarsal.com/retail