Cyber security: The retail sector under attack
10 May 2017
Retail and consumer organisations are regularly suffering data breaches, yet only 58% have an overall security strategy.
All sectors face a range of cyber threats, but the retail sector appears particularly badly hit. PwC’s annual Global State of Information Security Survey 2017 found that organisations in the retail and consumer sector suffered on average over 4,000 security incidents over the preceding 12 months. 16% of organisations surveyed suffered losses of over $1 million as a result of these incidents. The statistics make worrying reading, but are brought vividly to life by the details of actual attacks. One of the most well-known attacks on a US retailer led to significant losses as well as senior company resignations; the company’s brand also suffered, with its name and the breach becoming interlinked and a familiar term of reference. Retailers in the UK are also suffering, with a number of high profile breaches over recent years.
Who are the attackers and what do they want?
At its heart cyber security is not a technical issue; it is about motivated individuals and groups seeking to do something malicious to your organisation. The biggest threat facing the retail sector is financially motivated cybercrime. Top end cyber criminals are getting better, whilst at the same time cybercrime tools and techniques are traded in online criminal forums, lowering the bar to entry to less skilled individuals. Personal and credit card data are high value targets for cyber criminals, who trade them on online marketplaces (ironically many of these mimic the online retail channels used by the organisations they have targeted). Increasingly organisations are also being targeted by sophisticated frauds which aim to trick employees to transfer funds to the attackers, often using emails purporting to come from the CEO or senior executives (dubbed “whaling” attacks).
Recent years have also seen protest moving online, with traditional activists using cyber attacks to promote their causes and the emergence of online “hacktivist” groups such as Anonymous. Activist attacks are often less sophisticated, usually focus on disruption (for example website defacement and website denial of service) and can be difficult to predict. This latter point is important; retailers may become the subject of an activist campaign due to some perceived grievance, but equally hacktivists target large organisations to give maximum publicity for their cause, even when the target is unrelated. Although the threat from highly capable nation states is lower for retail organisations than some other sectors, there is still potential for them to be targeted by states seeking to support domestic businesses, seeking information relating to a business transaction (for example an M&A deal) or corporate strategy, or acquiring innovative technology or business processes which give a competitive edge.
Our latest Total Retail survey found that cyber security is a big worry for online shoppers – with 59% only shopping with trusted companies and a quarter only shopping with companies in the UK as ways to prevent security issues. So the issue of cyber security is not one to be taken lightly, and retailers who don’t improve their systems risk losing suspicious customers for good.
About the author
James Hampshire is a Manager in PwC's cyber security practice, focussing on the retail and consumer sector. James has worked with a number of major UK retailers to advise them on developing their cyber security strategy, maturity and operating models. To find out about the cyber security practice's work, visit the website.
