A signal was sent to other businesses when supermarket giant Tesco announced in its 2022 annual report that it had carried out a cyberattack stress test – are you really resilient enough to withstand a security breach?

Tesco found that a breach could cost it up to £2.4 billion in fines – 4% of its annual revenue – and compromise the data of its 20 million Clubcard members, not to mention the additional costs that would be incurred to respond and recover, as well as the loss of revenues due to business disruption.

Retailers have long been an attractive target for cyber criminals. They seek access to large, complex, heterogeneous IT networks across disparate locations, alongside the rich data they store, transmit, and collect. Last year saw cyberattacks against the likes of Neiman Marcus, Tesco and Guess and, over the past 12 months, criminals have targeted the retail sector with a 264% surge in ransomware attacks on ecommerce and online retail businesses.

The average total cost of a data breach in 2021 was US $4.24 million, according to the IBM/Ponemon Institute report, yet the impact of an attack can affect a business and individuals for years afterwards.

Customer data may be the most obvious and well publicised target, and of course it is important – this data should be well protected and is subject to regulatory scrutiny. However, there are other assets that retailers frequently overlook, which arguably pose greater risk to their reputation and operations.

It's not about cyber, it's about risk

Digital channels are increasingly the primary route to market for retailers, a trend accelerated by COVID-19. This increased digital footprint and adoption of cloud technologies and a long complex interconnected supply chain coupled with many retailers retaining a remote workforce, has rapidly expanded their attack surface.

Therefore, the reassessment of cybersecurity strategy is rising up every retailer’s agenda – this area poses a significant threat to the strength (or weakness) of any organisation’s overall risk profile.

However, many retail businesses are still underinvesting in the right tools and strategies. The industry’s historically short-term approach to technology investment and re-platforming will play against them as cyberthreats become more prevalent and disruptive. But can any retailers honestly say that they can afford not to invest in cybersecurity?

Being resilient to disruption can deliver a competitive advantage to retailers, yet many retailers suffer from sustained underinvestment in technology, which brings with it inherent security vulnerabilities.

Retail companies need ‘better’ rather than ‘more’ security – more efficient solutions that target the business risk, often seen in the shape of strategic partnering to establish and run security operations.

Customer data, particularly financial information including card data, remains an attractive target for hackers. Many are also increasing their Advanced Persistent Threat (APT) activity whereby they access an organisation’s system but remain dormant, as maintaining long-term access to a victim and slowly stealing data can prove more profitable than executing a single large attack. These types of threat should be concerning all retail CEOs today.

Furthermore, if a cybersecurity team were able to identify a threat, APT or otherwise, do they have the requisite skills and capabilities to monitor and move in on the cybercriminals?

Many organisations outside of the more sensitive industries such as aerospace, defence, and financial services, have an inadequate approach to monitoring and even those of modest sophistication fall short. Even if the alarm bell sounds, no one is listening.

Four questions retailers must ask

There are several ways hackers can cause disruption through a cyber event or technology failure. Rather than pre-emptively trying to protect an organisation against known threats and scenarios, retailers must assess their own unique risk appetite.

  • The first question to ask therefore is: If hackers target my business, how might they cause detrimental disruption and what is the impact? For a retailer this might be interfering with its supply chain or turning off refrigeration units in a grocery store. If this happened overnight and stock was spoiled, would you detect it before you sold the stock?

  • Secondly, what is there that's worth stealing and what is the impact? We already know that customer PII and payment data is important and that the loss of that will incur reputational loss, fines, and regulatory scrutiny. Some organisations will be concerned about very specific data for example prices in next month’s sales, renumeration, strategic information etc.

  • Thirdly, how can a hacker embarrass my business? Cyberattacks pose reputational risk and impact the share price among listed businesses and customer confidence among others. In some cases, a disorganised response to an incident can cause more reputational damage than the attack itself. This is a question for the board rather than technical teams.

  • Lastly, have we done everything we reasonably can to mitigate the risk and behaved reasonably to protect our customers and staff?

All of this must come in addition to ensuring the baseline controls are in place and tested. All retailers need to raise the bar such that attackers will choose easier targets, or that the attacks will be detected early and blocked.

If the attack surface can be minimised and appropriate permitter controls put in place – change management, user authentication, vulnerability management and monitoring as well as preparing to manage attacks and incidents when they occur – the bigger questions can then be answered with greater confidence and success.