Cybersecurity in retail: a big job, but a necessity

Cybersecurity in retail is complex, not least due to its long, tangled, obtuse supply chains and vast customer bases.

We recently published a report on this very subject. It highlighted how retailers can actually give themselves a competitive advantage if they’re able to demonstrate how well they protect the privacy of their customers. Nearly 40% of UK consumers said they would be willing to increase their online spend by at least 20% if their primary retailer were to give them security assurances and competitors did not. In an industry where margins are everything, this is a huge potential edge.

Of course, protecting the security and privacy of (potentially) millions of customers is a non-trivial task. We realise that your CISO – or whomever fulfills this function – may have limited budget. However, customer records are being compromised and risks must be identified and appropriately managed. Past compromises have arisen from all kinds of vulnerabilities, ranging from your traditional internet-based hacks (such as SQL injection via poorly implemented websites) through to the now infamous Target compromise where the attacker got in via their cooling systems provider.

Identify your attack surface

Firstly, what do I mean by “attack surface”? I mean the areas and opportunities where attackers can potentially interact with your systems or data. Retailers can have complex attack surfaces – do not limit yourself to thinking only of your website!

In our report, the top rated vulnerability to lead to cybersecurity breaches at UK retailers was outdated architecture (43%). Legacy architectural weaknesses, such as flat networks, can make the “blast radius” of an attack far larger than it need be, as, once on the inside, an attacker may have more or less free movement throughout your environment. This lack of segregation can also extend your attack surface to every store, factory, distribution centre and farm in your organisation.

Consider how dynamic the retail environment is, with both new stores opening and old ones closing on a regular basis. What happens to the physical network connections in your old stores? Are you absolutely certain those stores you sold off last month are no longer connected to the network? How about your distribution centres – are they dedicated to you or are they shared with other organisations? If the latter, what barriers have you put in place to control access to your systems? What about your manufacturing and packaging facilities? Do they contain any plant that is “smart” or network-connected? Is that plant fully patched? Or is that equipment running a networked operating system that can’t be patched because the provider of the kit no longer offers support or has gone out of business?

The Wannacry and NotPetya outbreaks have bluntly demonstrated the dangers of running unpatched systems on flat networks – customers have run out of sympathy for businesses caught out by similar outbreaks. 65% of consumers said a data breach at their primary retailer would cause them to stop or reduce transactions from them, so retailers need to take heed of the ample warnings provided by past malware outbreaks. There is no room for retailers to be complacent with online and traditional security – they have to act, and act now or get left behind by more security (and privacy) conscious competitors.

Securing the store

Now let’s turn our attention to stores. Lots of potential attack vectors here. Do your stores offer free Wi-Fi? Is that Wi-Fi connected to the corporate network? How secure is your store’s back-office? How secure are your point-of-sale terminals? What would happen if a malicious actor left a few USB sticks containing some malicious content around the store (or perhaps HQ)? Do users know not to plug such devices into corporate machines – even if labelled “Redundancy Planning Q3”?

I’m a cybersecurity chap. I can’t avoid talking about the internet and, these days, the cloud. Many retailers are now moving towards the cloud, particularly in the area of customer analytics. The use of cloud services opens up yet another attack surface – not least the barriers in place between yourself and other users of that cloud platform.

I would not expect customers to be overly sympathetic should they find out that the only barrier between their data and an attacker is a single username/password combination. With the advent of GDPR, I would not expect too much sympathy from the relevant data protection supervisory authorities either.

Transparency is key

With GDPR enforcement now with us, data protection and privacy has never been more of a focus. Retailers need to understand that consumers take the protection and safety of their personal and financial data very seriously. However, nearly a third of all consumers said their primary retailer do not communicate data privacy policy changes to them.

We are currently seeing a big disconnect between what UK consumers believe retailers do when requesting their personal data and what UK retailers say they do. It is clear that consumers take the protection and safety of their personal and financial data very seriously. We found that close to half (48%) of all consumers say they frequently review the data privacy policies of retailers when they purchase online.

GDPR has increased the need for transparent and unambiguous privacy policies, particularly when it comes to obtaining user consent for data collection and providing clarity on how that data will subsequently be used.

Your website is one of your primary mechanisms for demonstrating how much importance you place on the security and privacy of your customers, so make sure that you make the most of that opportunity.

In summary, improving your security and privacy posture may be a big job – but it’s a necessity. Present it to your budget-holders as an opportunity for long-term gains, improved customer loyalty and avoidance of hefty fines (we’re all more than aware now of the maximum potential GDPR fine of 4% of global revenue!) and you’ll find that conversations and budgets may come a lot easier.