Orange Cyberdefense investigates the process of securing the shopping experience

ISJ – April Edition Exclusive

By prioritising cybersecurity, retailers can promote customer confidence, writes Dominic Trott, Director of Strategy, Orange Cyberdefense.

No sector has escaped the threat of cyber-attacks, including retail, as proven by the spate of high-profile incidents impacting the likes of WH Smith, JD Sports, Funky Pigeon and The Works over the past 12 months.

Orange Cyberdefense’s 2023 Security Navigator report, which analyses data collected by our CyberSOCs worldwide, found that while retailers account for 6% of clients, they generated 21% of the security incidents detected last year. The apparent focus of cyber-criminals on the retail sector needs to be of concern to business and IT leaders in this vertical.

This need is magnified when considering the business impact of recent attacks that have hit this vertical. Funky Pigeon had to suspend orders for a fortnight in April 2022, which led to a loss in sales of £20m. Around the same time, The Works also had to shut five of its outlets and suffered delays in fulfilling online orders. More recently, both WH Smith and JD Sports fell victim to attacks that compromised personal data the retailers held.

Cyber-criminals accessed the personal information or current and former WH Smith employees and the personal and financial data of over ten million JD Sports customers. Both examples will have necessitated regulatory entanglements under the GDPR, with potential ramifications in terms of fines, shareholder value, brand perception, lost business and customer loyalty.

Not only do cyber-attacks that impact this sector have real financial implications if sales have to be halted – especially given the rise of ecommerce; they can have a multitude of negative impacts on business outcomes.

For example, they can impact brand reputation and confidence customers have in brands, a lack of which may cause them to look elsewhere. A drop in customer loyalty and brand perception can result in lost business. This can in turn lead to decreased shareholder value. As the cost-of-living crisis continues, retailers must do all they can to drive positive business outcomes – and part of this relates to ensuring appropriate cybersecurity protection. 

Retailers are a data trove

It may not always seem so – with stolen data often being published online – but data often isn’t cyber-criminals’ end goal. They are financially motivated, often aiming to obtain or block businesses from something of value to encourage their victim to pay up. This is the basis of the crime of cyber-extortion, otherwise known as a ransomware attack.

This is important to understand, as retail has a unique set of characteristics that make it a prime target for cyber-criminals. The first of these is the quantity and types of data that retailers hold. Catalysed by the rise of ecommerce, retailers hold vast quantities of personal information such as contact details and financial data such as saved card details. This valuable data is a prime target for malicious actors – and retailers have a lot of it.

The recent growth of ecommerce, accelerated in part by the pandemic, has expanded the volume of data that retailers hold. Meanwhile, for the sake of convenience, customers often choose to save cards or delivery details for a faster checkout. Yet, each piece of data held not only adds to the volumes held by retailers, but also represents further exposure to risk.

Further, the nature of retail means that market players collect yet more data that may not be common practice in other sectors. This includes details of the purchases customers make to influence loyalty schemes and provide tailored offers. This behaviour is common within segments characterised by fierce competition and low margins, such as the ‘big four’ supermarket chains, presenting an additional layer of information that malicious actors can extort.

The weakest link

Retailers also have sprawling digital estates, making it easier for cyber-criminals to infiltrate the corporate network and access the data they seek. As well as the rise of web apps, cloud infrastructure and SaaS applications, retailers have deployed countless point-of-sale systems, tills and computers across thousands of outlets. These provide plenty of options for cyber-criminals to exploit and gain access to networks, as was the case with The Works last year.

However, what is perhaps more important is that these devices are used frequently by countless numbers of staff, some of whom may only have a basic awareness of cybersecurity best practices. While this is a major issue for almost every sector, the Security Navigator report found that this kind of unwitting ‘insider threat’ was the most common type of incident suffered by the retail sector.

This includes the unapproved use of software or workarounds by staff as well as employees falling victim to phishing attempts. This all points to staff being the weak link when it comes to the security of the retail sector.

Shopping securely

The retail sector is not vulnerable to cyber-attacks just because of the characteristics of the businesses that operate within it. However, the reality is that it is an attractive target for cyber-criminals. This means decision makers must seek means by which to achieve more from their staff, security technologies and partners.

Approaches such as consolidation and automation can play a role, but must be part of a multi-layered approach to security. Fundamentally, this should include ensuring that employees have at least a basic awareness of good ‘security hygiene’ behaviour and encouraging good practice that will reduce the risk of exposure to cyberthreats. This way, retailers can ‘recruit’ employees to become their first line of defence against security threats, protecting their infrastructure and customers from future attacks.

While investments can be made to bolster defences, retailers must also be aware it is a case of ‘when, not if’ they suffer a cyber-attack. Therefore, they must also be prepared (and know how) to respond appropriately in the event they are struck. This includes reporting the incident to regulators and law enforcement, informing those whose data are exposed to risk and taking systems offline to prevent further access and mitigate damage. It is often clear, concise and timely communications during a cyber-attack that will put customers’ minds at ease and ensure they know their data is in safe hands, even during an emergency situation.

Riding the wave

Ultimately, customers are becoming increasingly aware of the risk of cyber-crime as it rises higher on the mainstream news agenda. This, in turn, increases the impact that a successful cyber-attack will have on a retailers’ reputation and its customers’ willingness to spend. To avoid a fate similar to that of WH Smith or JD Sports, the time is now to make investments that will help to minimise the likelihood of an attack being successful and to manage the impact if cyber-criminals do infiltrate the network.

There is clearly a role for technical tools and solutions, such as real time detection and response processes. But technology must be accompanied by an equal, if not stronger, focus on people and process to succeed.

A key example is boosting awareness of staff, who are likely to be the ones being targeted by malicious actors. By combining technology, the human element and ensuring that seamless crisis response procedures are in place, retailers will be able to ride the swelling cyber-crime wave and keep their customers on side.

Orange Cyberdefense

Orange Cyberdefense is the cybersecurity business unit of the Orange Group, renowned for its expertise in the field. As a leading provider of security services, the company’s objective is to promote a safer digital society. With a focus on threat research and intelligence, Orange Cyberdefense has unparalleled access to current and emerging threats.

This article was originally published in the April edition of ISJ. To read your free digital edition, click here.