Lifting the veil on cyber threats for retailers
Current landscape of cyber threats
Almost all UK businesses (approximately 98%)1 now operate online in some capacity, benefiting hugely from an increased use of online websites, social media accounts, and online banking. The constant availability of online retail opportunities means the rate of cybercrime is on the rise, with the main cyber threats posed to retailers centring on two things:
- unavailability of systems; and/or
- loss of data.
There has been a recent trend of ransomware attacks which have affected the availability of systems and data, putting operational pressure on organisations to elicit payment of ransom demands. These threat actors tend to use a so-called 'double extortion', which involves both the encryption and extraction of data. This is so that the threat actors can not only prevent access to data but can also monetise the sale of the data or threaten publication on the open or dark web.
In light of the current landscape of threats, what key considerations would we expect retailers and consumer brands to be taking into account…?
- Personal Data Mapping
The retail and consumer sector typically holds a significant amount of personal data, particularly customer data and employee data. It can be easy for companies to underestimate the amount of personal data they actually hold, so this should be properly mapped as part of a robust pre-breach preparation plan - understanding your key data and operational systems, and the technical risks they pose, can help create a unique data risk map for your organisation which can be invaluable ahead of an incident.
- Supply Chain Risks
With increased scrutiny on the sustainability of global supply chains, retailers and consumer brands are rightly keeping a closer eye on their network of vendors and suppliers. Threat attackers are regularly targeting weaknesses in retail supply chains which poses unique challenges for retailers and consumer brands, as consumers can be significantly impacted following little or no involvement of the retailer or consumer brand in the breach itself. For instance, consumers may face difficulties accessing products if a particular software vendor which operates deliveries is targeted. Alternatively, personal data could be targeted through a third-party data processor who has access to large amounts of data.
It is therefore critical for retailers and consumer brands to undertake robust supply chain due diligence. To assist with this, the UK government's National Cyber Security Centre has recently published guidance which sets out practical steps to help organisations assess cyber security in their supply chains, including some scenarios against which to measure the security of your supply chain.
Many retailers and consumer brands have an increasing footprint worldwide, and the global nature of cyber threats means extra care must be taken when responding to incidents affecting multinational businesses.
The UK and Europe
The territorial impact of key data laws has changed as a result of Brexit and understanding local nuances, including the differences under UK law to the rest of Europe, can be important in understanding relevant data obligations following a cyber breach.
Perspectives from Asia
The multiple jurisdictions making up the Asia region have a patchwork of cyber and data regimes including:
- Regimes which are based around data protection laws - Hong Kong and China
- Cyber security and infrastructure security regimes – Singapore
- Sectoral data protection regimes – India and Indonesia
Retailers and consumer brands should keep in mind the current distinctions between the various data regimes, whilst we await further indications of whether there will be increased harmonisation in light of growing global digital dependencies.
The cyber risk model in LATAM is rapidly evolving as RPC's Laura Thackeray recently noted in an article here. Governments in LATAM have historically been slower in adapting and reacting to cyber risks, but retailers and consumer businesses in the region are slowly undergoing a move away from the mindset of placing insurance (and in particular cyber insurance) in the 'luxury' category for their business.
Following a roundtable seminar which RPC's Cyber and Data teams recently hosted with key retail clients, here are our top tips to assist retailers and consumer businesses in the management of their cyber risk:
- 'Plan Plan Plan' – have a clear, written incident response plan which is kept offline and involves all key stakeholders of the business. Also ensure it is updated regularly.
- Give early consideration to a breach communication strategy and the organisation's risk appetite.
- Make use of the BRC's cyber resilience toolkit for retailers and consumer brands
- Closely engage with third parties via contracts to manage risk. In an acquisition context, robust cyber due diligence should not be neglected. In a negotiation context, do not shy from requesting specific certifications.
- Adopt systems that have embedded regular vulnerability checks and audits of technology.
- Consider obtaining cyber insurance – but bear in mind that the insurance market is hardening its stance on premiums for cyber risks, as well as its underwriting requirements.
- Don’t neglect the basics of cyber risk training and hygiene.
Against the backdrop of the current global economic scene, businesses may have less money to spend on combatting cyber risks. However, retailers and consumer businesses are encouraged to stay proactive against the growing threats - even the simplest exercises, such as phishing training, can make a significant difference in the human front line of defence.
No company will ever be fully incident proof, however, staying proactive in combatting cyber risks gives your business the best chance of avoiding an issue. For more information about the full suite of pre-breach and post-breach services that RPC can assist with, please click here.