Retailers face escalating cyber security challenges during peak events such as Cyber Monday. Will O’Brien outlines four steps to protect customer data this holiday season
In the retail sector, cyber security often lags behind other sectors regardless of the retailer’s size or value.
In the short-term, this can lead to some initial minor inconveniences, but if left unattended, it can manifest into serious issues that impact the organisation’s brand, reputation and customer loyalty.
The security challenge
During the peak Christmas consumer events of Black Friday and Cyber Monday, the retail sector sees a sharp uptake in business.
As a result, its value to malicious actors also increases.
To leverage this busy period, cybercriminals use unsophisticated phishing campaigns to gain access and steal data.
when a retailer’s ‘accounts and billing’ function is in full swing during the holiday season, for example, they are more likely to fall victim to a phishing attack.
While some retailers have reasonable controls in place to protect against these attacks, many rely heavily on insecure third parties to fulfil critical business functions.
According to PwC’s 2023 Digital Trust Insights Survey, supply chain risks have become a big focus for regulators and organisations, with senior executives in Ireland identifying increased regulatory scrutiny as one of the top five impacts on their business since 2022.
Without conducting the correct level of cybersecurity due diligence on third parties, retailers can open themselves up to cyber-attacks by providing third parties with access to their data.
If these third parties fall victim to cyber-attacks, the organisation’s data – through payroll, accounts and shipping, for example – may be at risk.
Despite the third party being at fault, the data controller (the organisation) is subject to fines and reputational impact.
Defending consumer data
Organisations can protect their digital assets by understanding the retail-specific cyber threats and associated remediation activities.
1. Education and awareness
Your people are your first line of defence against phishing campaigns. All staff should be educated on security procedures and aware of attack methods. A robust cybersecurity education and awareness programme is the best way to achieve this.
You should tailor this programme for your organisation by identifying the critical threats and customising the content to address these threats.
2. Third-party risk management
Third-party risk management (TPRM) is the process of analysing and minimising the cybersecurity risks associated with outsourcing to third-party vendors or service providers. It involves effective selection, due diligence, contracting, ongoing monitoring and the correct termination processes.
3. Malware and ransomware prevention
Anti-malware and ransomware detection technologies can help to reduce the risk of a severe cyber attack likely to cause operational, reputational and financial damage to your organisation.
Detection and response tools can be used to identify malware and limit the blast radius of the attack, for example.
4. Incident management and response
With organisations facing more regulations than ever, the capacity to respond to a data breach quickly and effectively has never been so important.
Senior executives should test their incident response capabilities and muscle memory with simulated strategic and tactical tabletop exercises. Incident response plans should be enhanced based on the learnings from these exercises.
This documentation can include communication statements, runbooks for technical responses to ransomware, and breach notification processes for notifying the Data Protection Commission of a personal data breach.
Implementing these controls can help to mitigate the financial and reputational impact of a security breach.
Prioritisation
You cannot eliminate cyber risk, but prioritising retail-specific cyber threats can help to mitigate the potential risks and damage.
An effective cybersecurity programme will ensure that you can prepare, withstand, recover and learn from malicious attacks and security events online.
Will O’Brien is Director of Cyber Practice at PwC