How retail is tackling the cybersecurity skills shortage

The number of retail businesses reporting data breaches to the Information Commissioner's Office has doubled over the last year – jumping from 19 in 2015/16 to 38 in 2016/17.

Those figures from London-based law firm, RPC, come with a warning that the risks involved in data breaches are increasing as retailers collect a growing amount of information about their shoppers.

With the rise in eCommerce, loyalty schemes and digital marketing, and the move to offer electronic receipts, RPC says all types of retailer are now targeted by hackers – and the sector is feeling the pressure to invest more heavily in cybersecurity.

Jeremy Drew, partner at RPC, says: “Retailers are a goldmine of personal data but their high profile nature and sometimes aging complex systems make them a popular target for hackers.

“There are so many competing pressures on a retailer’s costs at the moment – national minimum wage rises, rates increases, exchange rate falls, as well as trying to keep ahead of technology improvements – that a proper overhaul of cyber defences can get pushed onto the back burner.”

There is a major skills shortage, not just in the UK but globally, with Cisco’s Midyear Cybersecurity Report highlighting that 24% of retail security professionals believe a lack of trained personnel is a major obstacle to adopting advanced processes and technology. Due to lack of staff, the survey says, there is a steady stream of security alerts that retailers cannot fully address.

Three major cybersecurity initiatives in the UK, however, show action is being taken to clamp down on this growing problem.

BRC student challenge

The British Retail Consortium (BRC) recently announced the winner of its 2017 Cyber Security Challenge, which invited new ideas on how government, law enforcement and industry should work together to tackle the main cybersecurity threats facing retail in the UK.

The winning paper was authored by Andreas Haggman, currently studying for a PhD in cybersecurity and geopolitics at Royal Holloway University of London. Haggman will get a chance to present his essay to the BRC's Fraud and Cyber Security Member Group, helping inspire retailers in their approaches to this mounting challenge.

Open to any student based at a UK higher education establishment, entries were judged by a panel of cybersecurity scholars.

At the very least, the BRC initiative will have brought some new thinking and awareness into retail, but the best case scenario is that it will have provided some real actionable insight that can help an industry which continues to come under attack.

Luke Beeson, VP of security UK & global banking & financial markets at BT, explains: “One of the most significant threats to security in retail is a large number of employees and a reliance on transient labour to cope with seasonal demand.

“It’s very difficult for businesses to instil security behaviour in a churning workforce. The best way for retailers to overcome this is to make it as easy as possible for employees to be aware of how cyberattacks can happen, which will help them to do the right thing.”

Highlighting the pressing  need for action, Cisco’s survey showed 32% of retail security professionals said they had lost revenue from cyberattacks in the last year, and a quarter admitted they had lost customers or business as a result of the problem.

What is government doing?

In the year ahead the National Cyber Security Centre (NCSC) is looking to encourage more UK women into cybersecurity, via a national CyberFirst Girls competition.

The 2017 competition, which entailed a series of online challenges and puzzles, attracted 2,171 teams of school girls aged between 13 and 15. Some 8,000 people participated in total, and the competition finale saw 37 girls from the top ten teams meet at a central London location, where Lancaster Girls Grammar were named winners.

The NCSC said the event “clearly demonstrated that the shortage of female cyber security professionals is not due to a lack of interest”, adding that it hoped its competition will help encourage the next generation.

This summer also saw the UK government announce a £20 million scheme to train close to 6,000 teenagers of both sexes in cybersecurity, once again using gamification to appeal to the young demographic.

Via a nationwide network of extracurricular clubs, activities and a new online game, the aim is to encourage schoolchildren to develop the key skills they would need to work in the growing cybersecurity sector and defend UK businesses against online threats.

SANS, BT, FutureLearn and Cyber Security Challenge UK have been confirmed as partners for the programme, which is run by the Department for Digital, Culture, Media and Sport.

The scheme represents one attempt at tackling a cybersecurity workforce gap in the UK, which ranks third behind Israel and Republic of Ireland as the country where there is most demand for cybersecurity professionals.

Job site Indeed, which compiled the global research, says severe cybersecurity skills shortages persist in every country – only in the US and Canada does the supply of job seekers exceed 50% of employer demand.

Spencer Izard, chief analyst for enterprise advisory at Ovum, says its vital retailers employ a team of security experts, who will “truly act on the best behalf of the organisation” – as opposed to relying on outsourcing this role to specialist companies.

“It’s easy to say we have a shortage of skills in cybersecurity, but there are actually many different elements of cybersecurity,” he notes.

“Areas include anything from privileged user access to behavioural profiling and monitoring, and the classics such as intrusion/detection. Each of these things require a composite set of skills or actual dedicated skills.”

Izard adds: “It’s very encouraging hearing government and retail are thinking about addressing the cybersecurity skills shortage but they need to think about it with more of a ‘sense and respond’ perspective to skills.”

Whatever way businesses approach the cybersecurity challenge, it is clearly rising up their corporate agenda.

Global information services provider Neustar says 60% of the 290 security executives it surveyed in 11 EMEA countries admit the recent global cyberattacks, such as WannaCry which targeted Microsoft operating systems worldwide, have directly affected strategy.

Respondents ranked ransomware and system compromise as the two most concerning threats, while 44% of respondents have focused on increasing their ability to respond to both ransomware and distributed denial of service attacks.

With the right investment, skills development and recruitment, retail could better protect itself from cybercrime. Encouraging action is being taken, but the fruits of this labour will need to emerge quickly to limit mounting financial losses and reputation damage.