Graham Swallow and Steven Kenny of Axis Communications consider the measures that must be put in place to protect the retail industry and customer data from cyber attacks.
A retail data breach as a result of a cyber attack is likely to be way down on the list of priorities for many retailers, particularly at a time when most will be working hard to generate the vital revenues lost as a result of the pandemic. But, as research reveals that up to 88% of UK companies have suffered breaches in the last 12 months and that 60% of small companies go out of business within six months of falling victim to a data breach or cyber attack, the threat of a serious breach is a very real threat facing every retailer big or small. In modern retail, where self-service checkouts and ‘click and collect’ services give the customer more choice, the technologies and cloud-enabled infrastructures that facilitate this frictionless shopping experience are a prime target, particularly at this time of year.
The multi-faceted systems that make modern shopping so seamless, with many layers of complex customer data, present an enticing prospect for criminals. With the majority of attacks (86% of all breaches) being financially motivated, the information that retail organisations hold about their customers is of increasing value, particularly as more information is added, making a customer’s profile more comprehensive. Cyber attacks targeting both physical stores and online retailers are becoming more frequent and the disruption caused by such an attack can be catastrophic. It is now thought that the average cost of one minute of downtime due to a DDoS (Distributed Denial of Service) attack is in the region of US$22,000 with an average downtime of 54 minutes.
GDPR related fines from the ICO can total as much as €20m or 4% of an organisation’s global annual turnover, whichever is higher. The financial cost of a breach itself, combined with long term reputational damage and crippling fines can be devastating to retailers. It is therefore essential to raise awareness of the steps and procedures that should be followed by all staff and management personnel to ensure full data compliance in accordance with GDPR principles.
A breach can cause irreparable damage to a retailer’s brand, severing bonds with key stakeholders and losing valuable custom. According to a 2019 study, 19% of consumers said they would stop shopping at a retailer in the event of a breach and 33% said they would take a break from shopping with a retailer for an extended period. For the retailer who is fortunate enough to be able to recover stolen assets and restore their systems, repairing the brand and regaining customer trust could prove even more costly in the long term.
The move from traditional CCTV systems which typically sat outside of a retail company’s IT operation, to the modern cloud-based options we see today, enable enhanced security features which result in better protection of the physical retail environment. Real-time video alerts can allow security teams to be proactive rather than reactive. In addition, a range of retail intelligence options such as occupancy data, queue monitoring and stock control capabilities improve operations. Tools to enable the setting of occupancy thresholds are a welcome addition to any retail surveillance system during COVID-19, when safe distancing and control over maximum in-store customer numbers are a focus.
When connecting technology to a network there will always be some element of risk. This can be mitigated by employing technologies that have been manufactured in accordance with cybersecurity principles. Those that have not, for example, an unsecure security camera, can be easily compromised. As a weak point in an otherwise secure system, the camera can then be used as a ‘backdoor’ to gain entrance to the retailer’s databases. With cyber criminals having free reign over stock reports, confidential files, finances and customer data, they have the power to sell that data or to hold a company to ransom for its return.
It is imperative that retailers carefully consider who they choose to partner with to provide their security solutions and services. Vendors that have been awarded Secure by Design, Secure by Default accreditation, an accolade from the Surveillance Camera Commissioner (SCC), have the appropriate credentials to prove that their technologies are manufactured with cybersecurity considerations at the forefront, rather than factored in later as an afterthought.
Decision making about the purchase of any retail security solution should also factor in the total cost of ownership (TCO). This puts power into the hands of the customer by giving them the ability to calculate the full cost of a system upfront, including maintenance requirements, software updates and firmware upgrades. With an accurate forecast showing costs spanning the life of the security solution, a retailer is able to ascertain that there are no hidden fees and have full transparency over all elements of the decision-making process.
By working closely with the trusted providers of high quality security solutions, the retail industry will be equipped to more effectively face the challenges of today and tomorrow. A step closer to effective mitigation of the cybersecurity threat is a step closer to a smarter, safer retail world.
Download Axis’ whitepaper – Cyber security: the biggest threat to retail