In a live webinar on the 2 February 2021, The British Retail Consortium together with Aon, and the National Cyber Security Centre, discussed the changing cyber threat facing the retail industry and offered practical advice on how best to manage the increased challenges.
Recent studies have shown that successful cyber breaches can cost, as much as, 7% of a company’s share price (according to IBM Security), while the direct cost to a retail business of a data breach has been increasing year-on-year to an average of US$1.84 million (Data from 2020 Trustwave Global Security Report). And it’s clear that the threat of such a devastating cyber-attack on retailers has grown over the last year as COVID-19 accelerates transformational change in the industry. “It’s easy to overlook the threat from new ways of working and change of working practices,” said the British Retail Consortium’s Director of Business and Regulation – Tom Ironside. “With so many of us working remotely, the range of points at which threats can emerge has increased. Companies should also recognise the risk from third parties; partners you interact with in the supply chain need to view cyber security as much as a priority as you do.”
What can be done? “Failing to invest in the right skills and capacity can be just as dangerous as failing to invest directly in the right technical protections. It’s a classic prevent, prepare, respond, recover, review cycle. Retailers should consider adopting a full lifecycle approach to incident management within the company’s overarching information security strategy,” urged Ironside.
Opportunities and threats
Over the last 12 months, the impact of COVID-19 has led to a marked increase in the frequency and severity of cyber incidents on retail organisations, said Aon’s Mark Brannigan – Head of Cyber Solutions UK. “The expansion of remote working protocols and the acceleration of the move to online e-commerce and digitisation of operations, has led to an increase in the digital footprint for attackers to go after.”
While digital innovation can deliver increased employer and employee flexibility, said Brannigan, as well as the creation of new business models and customer engagement possibilities, it also comes with significant risks ranging from supply chain vulnerabilities, to vendor access to data and systems.
“We’ve seen an increase in attacks on e-commerce platforms, and the targeting of organisations’ operations that could be their distribution centre technology, their warehouse operations, or their supply chain in terms of integrations with third parties. There has – and rightly so – been a focus in recent years on data privacy issues, but what we can’t allow that to do is deflect from the business interruptions we’re seeing now,” said Brannigan.
In particular, the cyber threat is coming from ransomware which is expected to lead to losses of over US$20 billion globally in 2021 (Aon’s Cyber Security Risk Report 2020), warned Alex Hornsby – Senior Cyber Risk Consultant at Aon. “If a business experiences a denial of service attack or any kind of data breach there is significant risk of reputational damage that could impact the share price of the company or the ability to attract new customers. From a business interruption standpoint, the retail industry is increasingly moving business online which means companies are even more dependent on the functionality of their suppliers and systems.”
As an additional consequence of ransomware, Hornsby added, more insurers are requesting information on how their clients are managing their ransomware risk before they’re willing to offer cyber cover.
Build your resilience
To counter the risk, the priority for retailers must be on building up their cyber resilience, advised Hornsby. “It’s impossible to completely eradicate cyber risk or the potential damage to reputation, but resilience is possible by considering a more circular approach.”
Recognising that each organisation is unique and at a different place in its digital journey, Aon’s ‘Cyber Loop’ is a process involving assessment, to understand what assets a business has and their importance; what threats those assets face; what controls and processes are in place to consider how well defended they are; and cyber risk quantification to understanding the impact of an event and what the cost would be if those assets were compromised. The assessment and quantification stages of the loop are vital to delivering effective risk transfer. This is then supported by the ability to provide incident response readiness via proactive development of response plans and table top exercises.
“Knowing what’s driving that cost improves the ability of the business to make more proactive and informed decisions about how to optimise security control spend, risk management investment and the purchase of insurance levels,” explained Hornsby.
Access to external support
“Having quantified the risk, this better informs what kind of limits a business might take out on any kind of insurance policy and ensures that any cyber cover taken out is fit for purpose. The purchase of insurance also provides important access to dedicated incident response firms,” said Hornsby. This is particularly important for IT retail teams who are often running at capacity supporting home working and accelerated digital roll outs, and may not be able to respond effectively without outside support.
The fourth phase of the ‘cyber loop’ is making sure the business is ready to deal effectively with an incident, said Hornsby. “It’s imperative to plan for that breach with a strategy of incident response readiness which means building, implementing and regularly testing those response plans.”
Cyber Resilience Toolkit launched
As a further help to retailers, the BRC and the National Cyber Security Centre (NCSC), have launched a Cyber Resilience Toolkit for retailers, which the NCSC describes as “an actionable guide specifically designed for non-cyber experts, such as Board members, those in senior strategic roles, and start-up businesses.”
In addition, said Sarah Lyons – Deputy Director for Economy and Society for the National Cyber Security Centre, “I would highlight the Board Toolkit which encourages cyber discussion between an organisation’s executive board and its technical experts and there is the ‘Exercise in a Box’ which allows organisations to test their response to cyber-attacks.” The NCSC is also working with consumer facing organisations to deploy customer centric security measures as a default on their systems, added Lyons, such as the ability to turn on two factor authorisation and allowing three random words for password formulation.
“The whole sector will remain a primary focus for the NCSC,” concluded Lyons. “The more we can work together and support each other, the stronger the sector as a whole can be in defending against cyber-attacks, but also in having the right strategies policies and procedures to manage cyber risk appropriately.”
Watch the BRC Webinar
Aon is authorised and regulated by the Financial Conduct Authority. FPNAT545