In 2013 cyber crime cost large UK organisations £3 million a year on average, an increase of 42% on 2012, according to the Ponemon Institute's Cost of Data Breach Report 2013.

The study found that these businesses fell victim to 1.3 successful attacks per company, per week. This represents an increase of 16% in attacks that infiltrate a company's core networks compared with 2012.

With the frequency and cost of cyber incidents on the up, a better understanding of the cost of cyber crime will assist organisations in determining the appropriate level of investment required to mitigate the serious consequences of an attack.

In recent years, retailers have been so focused on cutting costs and expanding their online presence that they have not spent enough of their technology budgets on protecting customer data and their infrastructure.

The 2013 Information Security Breaches Survey reported that retailers spend just 3.8% of their IT budgets on security – the lowest percentage of all the listed sectors in the report.  At the top end of the scale, government bodies and telecoms firms spend 12.6% of their IT budget on security.

While retail expenditure on technology is significant, the bulk of the recent investment has been in improving eCommerce offerings, only a very small part of that allocation has been spent on security.

Unlike their peers in other industries, especially regulated industries, most retailers still focus on just meeting the basic standards set by the payment card industry rather than taking a holistic approach against increasingly sophisticated attacks.

Recent breaches show that even if the payment card environment is secured, insufficient isolation and poor security elsewhere can leave their data environment open to security holes that the criminals can easily punch through.

Whilst retailers clearly do want to see cyber security incidents reduced, most of them believe they only have limited ability to make that happen. They argue that they did not design the payments systems, and do not configure or control the payment cards. It is true that every party in the payment system, financial institutions, networks, processors, retailers and consumers, has a role to play in reducing fraud. However, retailers can no longer afford to ignore this issue, passing on blame elsewhere. Financial institutions, networks and payment providers have all scaled up their security investment. Retailers are yet to respond.

Companies are starting to realise that security investments can have positive ROI results. The Ponemon report analysed ROI figures for different security investments. It found that organisations achieve an average 14% return on investment in areas like security incident event management (SIEM), intrusion prevention systems (IPS), application security testing, and enterprise governance, risk management and compliance (GRC) systems. Companies deploying security intelligence systems claim to have experienced a substantially better ROI of 23%.

But direct ROI in terms of incidents averted is just one benefit from a retailer's perspective. Apart from avoiding the direct and indirect costs of a breach, the main benefit to a retailer is protecting the brand and maintaining customer confidence.

Following disclosure of a recent breach at a well known retailer, the company's brand rating plunged by 35 points on BrandIndex's scale. Further, despite a discount offer in the following week and efforts by the retailer to staff up call centres and to reach out to customers, the company's BrandIndex score stood at -19, 45 points down from its pre-breach score of +26.

Inevitably security conscious consumers in an increasingly eCommerce retail world will choose to make purchases from a brand that they believe is secure. And avoid those they don’t.

Retailers need to be proactive about cyber security. They must address it as part of a comprehensive reputational risk management strategy that includes controls over IT risks like technical security and business continuity.

Collaboration between departments within the organisation is key. Retailers need to create a culture within the organisation where IT managers work with other risk management specialists. Together they can create a comprehensive profile of organisation-wide reputational risks for senior management. They need to anticipate problems and not wait for an incident to happen. There are plenty of case studies to be used as a basis for “what if” planning.

Learning from recent incidents, they must not act in isolation; they need to secure their supply chain. A failure by a small supplier can be just as devastating as an internal problem, and risk controls must be coordinated across key players.

Failure to invest in cyber security today will, in many cases, unfortunately be shown to be a false economy for many retail businesses in the near future. As mentioned in a previous article, it will also be the CEO who will be in the public spotlight for failing to manage the risk, not the CIO.

Sandeep Kumar is a director in Alvarez & Marsal's Cyber Security Practice, which provides incident response, forensic investigation, CISO interim management and training services globally.

Former Carpetright IT director Ian Woosey is a senior director at professional services firm Alvarez & Marsal. He will be writing an monthly column on cybercrime exclusively for Essential Retail.

http://www.alvarezandmarsal.com/retail