Asignal was sent to other businesses when supermarket giant
Retailers have long been an attractive
The average total cost of a data breach in 2021 was US
Customer data may be the most obvious and well publicised
It's not about cyber, it's about risk
Digital channels are increasingly the primary route to market for retailers, a trend accelerated by COVID-19. This increased digital footprint and adoption of cloud technologies and a long complex interconnected supply chain coupled with many retailers retaining a remote workforce, has rapidly expanded their attack surface.
Therefore, the reassessment of cybersecurity strategy is rising up every retailer's agenda - this area poses a significant threat to the strength (or weakness) of any organisation's overall risk profile.
However, many retail businesses are still underinvesting in the right tools and strategies. The industry's historically short-term approach to technology investment and re-platforming will play against them as cyberthreats become more prevalent and disruptive. But can any retailers honestly say that they can afford not to invest in cybersecurity?
Being resilient to disruption can deliver a competitive advantage to retailers, yet many retailers suffer from sustained underinvestment in technology, which brings with it inherent security vulnerabilities.
Retail companies need 'better' rather than 'more' security - more efficient solutions that
Customer data, particularly financial information including card data, remains an attractive
Furthermore, if a cybersecurity team were able to identify a threat, APT or otherwise, do they have the requisite skills and capabilities to monitor and move in on the cybercriminals?
Many organisations outside of the more sensitive industries such as aerospace, defence, and financial services, have an inadequate approach to monitoring and even those of modest sophistication fall short. Even if the alarm bell sounds, no one is listening.
Four questions retailers must ask
There are several ways hackers can cause disruption through a cyber event or technology failure. Rather than pre-emptively trying to protect an organisation against known threats and scenarios, retailers must assess their own unique risk appetite.
- The first question to ask therefore is: If hackers
- Secondly, what is there that's worth stealing and what is the impact? We already know that customer PII and payment data is important and that the loss of that will incur reputational loss, fines, and regulatory scrutiny. Some organisations will be concerned about very specific data for example prices in next month's sales, renumeration, strategic information etc.
- Thirdly, how can a hacker embarrass my business? Cyberattacks pose reputational risk and impact the share price among listed businesses and customer confidence among others. In some cases, a disorganised response to an incident can cause more reputational damage than the attack itself. This is a question for the board rather than technical teams.
- Lastly, have we done everything we reasonably can to mitigate the risk and behaved reasonably to protect our customers and staff?
All of this must come in addition to ensuring the baseline controls are in place and tested. All retailers need to raise the bar such that attackers will choose easier targets, or that the attacks will be detected early and blocked.
If the attack surface can be minimised and appropriate permitter controls put in place - change management, user authentication, vulnerability management and monitoring as well as preparing to manage attacks and incidents when they occur - the bigger questions can then be answered with greater confidence and success.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
EC4A 3BF
Fax: 2070987401
E-mail: bokelly@alixpartners.com
URL: www.alixpartners.com
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source