Bricks and clicks: cyber security and Black Friday

Black Friday is one of the most critical dates in the retail calendar and in today’s challenging climate it is the defining point in the year for many retailers. While it has been associated with long lines at bricks and mortar retail stores, increasingly online and mobile have become integral parts of retailers’ strategies - both as direct channels to market and also to enhance the in-store experience.

There are a number of critical success factors for retailers in terms of cyber security for Black Friday.

• Data confidentiality - as the volume of transactions increases, there is more personal information and payment data to protect and many retailers will increase security monitoring during this period.
• System availability - the availability of ecommerce platforms is paramount on Black Friday. Even short outages can have a significant impact on sales and potentially lead to negative commentary and reputational impact. “Back office” systems such as inventory management and logistics systems are equally as important to fulfilling the customer journey. Many retailers will do increased stress testing of their websites in advance of Black Friday to ensure they can cope with increased traffic.
• Third party security - retailers are part of a complex ecosystem of organisations, so simply securing their own systems will not guarantee a smooth Black Friday. Third party payment gateways, supplier interfaces, shipping systems all need to be resilient. Neglecting the security and resilience of third parties introduces risk that is outside retailers’ control to dynamically manage on Black Friday itself. We have seen cases where third parties have reduced security controls to ensure system availability, but haven't told the retailer they are servicing until after the event.

Many retailers will have been preparing for some time, planning, testing and exercising to ensure Black Friday runs smoothly, but there will be many others whose preparation hasn’t been extensive enough. Retailers with well-thought out cyber security capabilities that provide a good baseline of protection and resilience, with the ability to flex for events such as Black Friday, will be those who succeed.

I work with a range of retail clients but many of them are experiencing difficulty in articulating return on investment for cyber security; although most customers now expect a certain level of security from retailers, security has not become a differentiator in the retail market as some suggested a few years ago. One way to better articulate the value of cyber security investment is to turn the “value” equation on its head. So rather than trying to identify tangible value that cyber security investment will generate for a company (almost impossible in a retail context), organisations are identifying “value at risk” - i.e. what value would be lost as a result of a successful cyber attack. Taking likely threat scenarios and traditional likelihood/impact assessments enable organisations to put the level of cyber security investment into context, enabling senior executives to make decisions on investment in capability based on realistic metrics.

Please do get in touch with me to discuss how retailers are dealing with the cyber security challenge and how you can secure your business.