The security challenge
During the peak Christmas consumer events of Black Friday and Cyber Monday, the retail sector sees a sharp uptake in business. As a result, their value to malicious actors also rapidly increases. By leveraging this busy period, cybercriminals use unsophisticated phishing campaigns to gain access and steal data. For example, when a retailer’s ‘Accounts & Billing’ function is in full swing during the busy season, they are more likely to fall victim to a phishing attack. Just one wrong click can provide an opportunity for criminals in the retail environment.
While some retailers have reasonable controls to protect against these attacks, many rely heavily on insecure third parties to fulfil critical business functions. According to our 2023 Digital Trust Insights Survey, supply chain risks have become a focus area for regulators and organisations alike, with senior executives in Ireland identifying increased regulatory scrutiny as one of the top five impacts on their business since 2022. Without conducting the correct level of cybersecurity due diligence on third parties, retailers can open themselves up to cyber attacks by providing third parties with access to their data. Potential targets include payroll, accounts and shipping, and if these third parties are the victim of a cyber attack, it puts your data at risk. Despite the third party being at fault, the retailer (the data controller) is subject to fines and reputational impact.
Defending consumers’ data
Retailers can protect their digital assets by understanding the retail-specific cyber threats and associated remediation activities.
1. Education and awareness
Your people are your first line of defence against phishing campaigns. All staff should be educated on security procedures and aware of attack methods. A robust cybersecurity education and awareness programme is the best way to achieve this. This programme should be tailored for your organisation by identifying the critical threats and customising the content to address these threats.
2. Third-party risk management
Third-party risk management (TPRM) is the process of analysing and minimising the cybersecurity risks associated with outsourcing to third-party vendors or service providers. It involves effective selection, due diligence, contracting, ongoing monitoring and correct termination processes.
3. Malware and ransomware prevention
Anti-malware and ransomware detection technologies are necessary to reduce the risk of a severe cyber attack causing operational, reputational and financial damage to your organisation. For example, detection and response tools can be used to identify malware and limit the blast radius of the attack.
4. Incident management and response
With organisations facing more regulations than ever, the capacity to quickly and effectively respond to a data breach has never been so important. Senior executives should test their incident response capabilities and muscle memory with simulated strategic and tactical tabletop exercises. Incident response plans should be enhanced based on the learnings from these exercises. This documentation can include communication statements, run-books for technical responses to ransomware, and breach notification processes for notifying the Data Protection Commission of a personal data breach.
Implementing these controls can strongly mitigate the financial and reputational impact of a security breach.
You cannot eliminate cyber risk. However, by prioritising retail-specific cyber threats, an effective cybersecurity programme is within reach for every retailer, ensuring they can prepare, withstand, recover and learn from malicious attacks and security events online.
Gain a trusted and reputational edge this Black Friday and Cyber Monday
Retailers that shine a light on their cybersecurity blind spot can turn this into a competitive advantage. Those who proactively focus on and invest in cybersecurity to protect consumers’ data create a trusted and reputational edge for their brand, thereby creating greater customer loyalty.
Our cybersecurity and privacy experts provide a range of managed services, including third-party risk management and data privacy as a service. These services help retailers of all sizes protect themselves and their customers against cybersecurity threats. If you have any questions about the issues raised in this article, contact us today.
Menu