We need to build a better castle: the cybercrime threat to retail (with lessons from the Middle Ages) – Part 2

06 April 2017

This is the second part of a blog which aims to explain the cybercrime threat to the retail sector, and how organisations in the sector can respond, by drawing on the analogy of medieval castles. If you haven’t read part 1, it is available here.

How can I build a better castle?

The key takeaway here for retailers is that there are two ends of the criminal threat that require a dual-track approach to cyber defence.

The relatively less technically capable cybercriminals (the marauding bandits) are more opportunistic, trying to identify where their capabilities will be effective; in a castle analogy they are probing the outer walls of your castle for weaknesses – if they can’t find any they will move onto the next one. But there are lots of bandits and they are doing this all the time. The key to defending against these kind of threats is to ensure you have a good level of general defences in place across people, process and technology, and assure these with testing. In addition, being able to respond to a ransomware attack (without paying a ransom) relies on having business critical data backed up and an ability to restore this effectively.

Meanwhile, top-end cybercriminals (the mercenary armies) will spend time and resources devising a bespoke attack on a chosen target; i.e. they will watch your movements, meticulously map your defences and get into the castle via the sewer that had been missed off the plans of the castle. To defend against this requires a holistic, enterprise-level effort. PwC Partner Richard Horne articulated the requirements  well in a recent paper that proposed seven principles for Boards and Investors – below is how I believe they apply in the medieval castle analogy:   

1. Real understanding of exposure

 Understand who the army outside the gates are, what they want and how they usually get into castles. Make sure you know about the sewer and brick it up.


2. Appropriate capability and resource

 Don’t spend all your money on mead and ensure the army inside the castle is equipped and trained for defence. Consider briefing your senior noblemen on the threat posed by marauding armies.


3. Holistic framework and approach

 Don’t just focus on the height of the walls. Think about the way in which you operate the castle and how that might make you vulnerable (e.g. what is your drawbridge-opening process?).


4. Independent review and test

 Don’t assume you have got it right. Get (friendly) armies to probe your defences and identify weaknesses.  


5. Incident preparedness and track record

 Modern, well-trained armies are adept at getting into castles. Have a plan for what you do if they breach your walls.


6. Considered approach to legal and regulatory environment

 What has the King told you is the minimum he expects of your defences?


7. Active community contribution

 Share information with other friendly nobility to learn from each other’s experiences and befriend the peasants who live outside your walls – they can warn you of impending attacks.

James Hampshire works in PwC’s cyber security practice, helping clients in the retail and consumer sector answer the big cyber security questions. He previously spent 14 years in law enforcement and government, including heading the national UK government cyber threat intelligence team and leading international engagement for the UK National Cyber Crime Unit (so he knows a bit about cybercrime). He originally studied history and war studies at university, which probably goes some way to explaining the analogy this article is based upon.



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.