With huge growth in e-commerce in recent years and the number and type of digital touchpoints and digital services to consumers growing, the need for robust cybersecurity risk management strategy remains critical in the retail sector.
UK online sales accounted for 27% of total retail sales in 20241 and this is projected to increase in 2025, reflecting the continued shift towards digital shopping platforms. In parallel with that, 34% of UK retailers identify cyber and data risks as their biggest threats, with 70% ranking them in their top three risks.2 Indeed, cyberattacks, fraud and data leaks cost the retail sector £11 billion in 2023.3
Digital transformation in retail continues at pace. Modern customers choose to browse, explore a brand and complete purchases both online and offline very fluidly. Harmonised omnichannel presence brings customer satisfaction, brand loyalty and increased sales.
Retailers are also leveraging tech and data for operational purposes: to forecast consumer trends using data analytics; to enhance customer engagement through digital platforms; to automate processes; to collaborate with partners to share data insights; for real-time monitoring of supply chain operations; and for AI powered pricing and marketing strategies.
Technologies include chatbots, e-commerce platforms, smart shelves, mobile applications, voice-assisted shopping, AI assistants and contactless payments. In addition to cyber vulnerability arising from accelerated new tech adoption, brick-and-mortar stores with staff, cashiers and physical point-of-sale (POS) systems present further vulnerability hotspots.
Payments processed via geographically distributed financial networks or via cross-border distributed payment infrastructures throw up yet more modern data security challenges.
While larger retailers take confidence from investment in technology to safeguard operations, security teams remain vigilant in the face of ever-evolving cybersecurity threats. This is the case especially as AI continues to optimise not only threat detection, but also vulnerability detection, which is exploited by cyberattackers increasing the sophistication of attacks. Where there is less resource, where outdated or unpatched software is relied on or only basic security tools are deployed, smaller retailers will be highly vulnerable to cyberattacks.
Most significantly from a cyber resilience perspective, whether a retailer is large or small, with the newest tech solutions or none, it is often simply human error at the root of a cyber incident.
The boxes below highlight the key areas of cyber risk for retailers, with key mitigation areas for improving cyber crisis management processes explored:
Key cyber risks for retailers
Social engineering
Where users are tricked into divulging sensitive information or passwords. Phishing is the most common form, where malicious links or files are opened by customers or staff which look like they are from a reputable source. Social engineering can lead to ransomware and other attacks.
Internet of Things (IoT)
IoT devices enhance supply chain optimisation, inventory management, delivery, operations and customer feedback collection, but if IoT device security is poor or not updated, this is an attractive and new access point for hackers to retailer systems and data.
Near Field Communications (NFC) Payment Systems
Hackers can potentially access sensitive data on NFC payment terminals if a connection is not secure. Compromised POS systems can lead to card skimming, theft of payment data and unauthorised access to the retail network.
Non-malicious events
Excessive user traffic, user error, weak passwords, staff negligence.
Poor encryption
Internet transmissions are interceptable where encryption is not adopted, facilitating cyberattacks.
Ransomware
Where a cybercriminal gains access to a network (often via phishing) and infects with malware, including ransomware, encrypting a system's data, unlockable without the decryption key. This can result in system downtime, a data breach, and other contractual and regulatory issues.
Software vulnerabilities
These can include incorrectly applied software updates, SQL injection, IRL redirection to untrusted websites, infected software.
Third party vendors
Unchecked supply chains pose cyber risk. Retailers rely on service providers, contractors and business partners, especially cloud service providers, POS system providers and third-party apps for online sales. Any security vulnerability at a third-party source threatens the safety of data transfers. Additional risk arises here as third-party vendor attacks can be harder to detect as they are not direct on the retailer.
Cyber crisis management - risk mitigation for retailers
Staff training
Human mistakes are a leading factor in cybersecurity breaches. Retailers should ensure workforce training is regular and up to date. It should cover learning about the range of cyber incidents that can arise and include steps to limit human error and technological issues. Employees at all levels of the company should know how to spot a phishing attack or malware. Do your suppliers do the same?
Supply chain due diligence
Minimum security standards should be set for suppliers. See NCSC Supply chain security guidance. Third-party partners and suppliers should complete questionnaires about their data and cyber hygiene.
Results will enable retailers to align with other businesses that practice the same (high) level of cyber resilience, reducing the risk of an entire supply chain becoming affected by a cyberattack. Outcomes should also facilitate identification of clear vulnerabilities which need addressing according to the level of risk posed.
Contracts
Include contractual rights to carry out penetration testing, requirements for maintained accreditations, commitments to security measures, obligations to maintain disaster recovery and business continuity plans and rights to carry out audits on any business in the supply chain to test resilience to a cyber incident.
Systems integration audit
If systems are integrated with those of suppliers (via a portal or order system), analysis of vulnerability is required. How integrated are supplier systems to the primary infrastructure? How easy is it to disconnect if necessary? How often are systems checked for vulnerabilities? Is there a back-up plan if those systems go down? An entity is only as strong as its weakest link.
Security and GDPR audits
Actively carry out regular security audits and GDPR compliance audits internally, and of supply chains.
Cyber incident response plan
Prepare, test, update and become familiar with your cyber incident response plan. Depending on how reliant or closely connected you are to your supply chain, you should consider including suppliers in your incident response plan as well as any tabletop exercises designed to test it.
Take advantage of 'peace time' to build resilience by identifying and understanding how you will work with key suppliers to keep operations going and reduce downtime in the event of a cyber incident. See How to deal with a cyber incident.
Business continuity and disaster recovery plan
Prepare and integrate the business continuity and disaster recovery plan with suppliers' plans, and regularly test.
A cyber incident results in significant trade disruption for retailers. In addition to any actual losses, there will be substantial time cost impact for management in terms of dealing with the data breach (with time critical regulatory reporting requirements); ransomware payment handling (see our article for comment on ransom payments); updating ICT security at speed; and in addressing reputational impact fast.
Any incident is also likely to undermine consumer confidence (especially where consumer data is involved) and may impact brand loyalty and lead to reduce sales.
Footnotes
1. according to the UK Office for National Statistics Internet sales as a percentage of total retail sales (ratio) (%) - Office for National Statistics
2. according to research by Barclays Corporate Banking and Retail Economics, published in Retail Week, July 2024
3. according to Ayden + Centre for Economic Business and Research, April 2024
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
