We need to build a better castle: the cybercrime threat to retail (with lessons from the Middle Ages) – Part 1
31 March 2017
Cyber security is, at its heart, the modern manifestation of a battle that has been going on for centuries between armies and castles, where defenders repel attacks from a determined enemy who are constantly probing for weaknesses.
This is the first in a two part blog in which I will look to bring to life the cybercrime threat to retailers, and how they should respond.
Who is trying to get into my castle?
The range of cybercrime1 threats facing retailers today is broad and growing. At the top end of the capability spectrum are a relatively small number of elite cyber criminals (the UK’s National Crime Agency estimate “a few hundred”) whose capabilities have increased rapidly, to such an extent that one recent report claims they are now on a par with that some nation states’ intelligence services (professional mercenary armies in the castle analogy). At the other end of the spectrum is an ever increasing “long tail” of cybercriminals whose relative lower technical capability is counterbalanced by number and persistence (medieval outlaws).
The “long tail” of cybercrime is increasing, primarily because many of the barriers to committing traditional crime do not apply to cybercrime; and cybercrime is getting easier. A number of things are driving this:
- Cybercrime is a low risk activity, certainly lower risk than traditional forms of crime. You don’t have to interact with other criminals in person, you can mastermind a criminal enterprise from your bedroom so there is little risk of encroaching on someone else’s “turf”. Law enforcement is still, by and large playing catch up, and penalties are still generally low compared to other crimes if you do get caught.
- Although a common misperception is that cybercrime is the preserve of the uber-geek, in reality you don’t need pre-existing technical skills to get started. The tools and techniques you need (for example hacking techniques, malicious software, denial of service capability) are available online.
- No criminal contacts? No problem! You can form a virtual organised crime group online and if you have a particular capability gap you can hire a specialist (e.g. a money launderer or a specialist in exploiting a particular vulnerability) for a fee.
What will they do once they are inside the walls?
Traditionally the biggest threat facing retailers is the theft of customer’s personally identifiable information (PII) and payment information, and there is still a buoyant criminal market for personal and payment data. Ironically, stolen data is sometimes sold via criminal websites which mimic retailers’ e-commerce operations.
Although retailers are now more aware of the threat to their customers’ data, many still do not recognise that their employees’ personal data is equally attractive to criminals. In one UK case, 6,000 retail employees are currently pursuing a class action legal case against their employer for failing to protect their personal information.
More niche cybercriminals also target sensitive business information, particularly strategy, M&A and other market-sensitive data. The FIN4 case was a great example of this, where extremely sophisticated cyber criminals stole M&A and market sensitive information from pharmaceutical and healthcare organisations, which they then used to make money from stock market trading. Although primarily targeted at the pharma and healthcare sectors, the risk is equally real for listed retailers.
But data theft is not the only threat cybercriminals pose to retailers. Recent years have seen an increase in aggressive, extortive attacks, including threats of denial of service attacks against websites accompanied by ransom demands, and ransomware encrypting critical business data (decryption key provided for a fee). Whereas ransomware has historically been targeted at individuals (low value/high volume), cybercriminals are now specifically targeting organisations who are able to pay larger ransoms.
Looking ahead, the retail sector will increasingly rely on digital channels and the internet of things will become more critical to supply chains and stores. Although these innovations will help retailers cut costs and improve performance, the opportunities for cybercriminals will increase in parallel.
In part 2 of the blog I will outline a strategy for protecting your castle.
1 The term cybercrime is often misused to describe all types of malicious actors in cyberspace, but this article focusses on financially motivated cybercrime, not nation state or activist cyber threats.
James Hampshire works in PwC’s cyber security practice, helping clients in the retail and consumer sector answer the big cyber security questions. He previously spent 14 years in law enforcement and government, including heading the national UK government cyber threat intelligence team and leading international engagement for the UK National Cyber Crime Unit (so he knows a bit about cybercrime). He originally studied history and war studies at university, which probably goes some way to explaining the analogy this article is based upon.