The retail sector has been revolutionised by developments in the digital world, opening up a whole new way to access consumers through better quality data capture. It has also led to improved technology and efficiency both in-store and operationally. However, as more retailers increase their IT capital expenditure, many now see this as a strategic-level risk that could cause major disruption, significant financial loss and lasting reputational damage.
Digital technology advances have resulted in retailers becoming increasingly dependent on the internet and IT systems for everyday operations, including point of sale, stock management, supply chain and marketing. This means they are now at the mercy of the digital solutions they use, with retailers of all sizes and in all sub-sectors at risk.
Perception vs. Reality
There is a perception that IT failure and cyber crime is confined to a retailer’s ecommerce website or the loss of data such as customers’ credit card details. The reality is that without its IT systems a retail business could cease to sell for weeks, resulting in lost revenue and potentially high costs of hiring external expertise to fix technical problems.
Another common misconception is that most cyber incidents occur as a result of external hackers. In fact, according to the Ponemon Institute’s 2014 Cost of Data Breach study, it is a combination of
- external hacking attacks (42%)
- internal negligence (such as lost laptops and files) or deliberate acts (such as insider collusion) (30%)
- system glitches (28%)
Often businesses will not know they have experienced a cyber breach until an external source notifies them, resulting in slow response times.
The assumption that responsibility for managing and understanding digital risks lies solely with IT departments is rapidly changing. There is growing recognition that everyone in an organisation should be accountable for cyber security, but despite this few staff tend to be trained on information security and many boards still lack a comprehensive understanding of it.
What are the Risks?
One of the major risks a retailer faces is from the number and variety of business partners it works with. It is not enough for retailers to simply implement physical, technical and organisational security measures within their own businesses as the IT perimeter for cyber risk extends further than this. They must also focus on cyber security within the supply-chain and with service providers as interconnectivity between companies can pose a real threat.
Flawed Digital Strategy
Retailers unsurprisingly tend to focus on the threat posed by unforeseen events, such as a hack or service downtime. However, with online trading contributing a higher proportion than ever of most retailers’ income, a badly executed strategy such as a poorly received website revamp, can have a material effect on a company resulting in a drop in sales and, in extreme circumstances, a fall in share price.
Loss or Theft of Confidential Business Information/Trade Secrets
Retailers handle a lot of confidential and commercially sensitive information, both their own and that of business partners. If such information is lost or stolen it could be useful to competitors as well as fraudsters, for example; details of suppliers, pricing strategies, current financial position, advertising and marketing campaigns, and any other information that is not publicly available.
Failure of Interconnected Systems
Computer based services are interdependent both within and outside an organisation. The failure of one organisation’s computer system can have a dramatic knock-on effect on all those with which it is connected. The same is true of cloud service providers and webhosting companies whose services many retailers are dependent upon. Examples of such issues include till or chip and pin machine failure, automated stock management system glitch, website issues all of which can impact on sales.
Loss or Theft of Personal Data
Retailers collect, maintain, transmit or store private information including potentially large amounts of consumer and employee data, as well as a significant amount of credit card information. This personal and confidential data may be shared between individual organisations and their supply chains, increasing the number of touch points and therefore the potential risk of a data breach.
IP infringement for retailers can include violation of design, copyright, trademark, domain name and copycat websites.
Retailers often have complex and diverse global supply chains, covering areas as varied as stock supply and credit card payments, making due diligence difficult and costly. There may also be differences in the quality of suppliers’ cyber security and a weak link in the supply chain can leave retailers vulnerable to a costly cyber attack.
Cyber extortion has become far more common in the retail sector, partly as a result of the low cost and easy availability of hacking tools which are simple for even the most technically challenged criminal to use. Denial of service (DoS) attacks can block access to essential systems and online trading platforms, leaving retailers unable to trade and at the mercy of cyber criminals.
Fraud is a particular issue for retailers thanks to their relatively high profile and online ubiquity. Retail is also one of the industries particularly prone to payment card skimming, with fraudsters using stolen details from individuals’ credit cards to make purchases. This type of activity is increasingly happening online where a physical card is not required to make a purchase and appropriate checks are more difficult to carry out – the cost of such fraud can be significant for a retailer.
What Are The Impacts?
The impact of any digital incident, especially if not handled correctly, can be catastrophic in terms of reputational damage and financial loss.
Some of the more obvious impacts on the balance sheet include: theft of cash; the inability to trade and associated costs of downtime; costs to repair or reinstate systems and operations; ransom payments to hackers (denial of service attacks); and regulatory fines for data breach of customer information.
There are also some less apparent costs associated with digital incidents which may include: opportunity costs following the loss of vital business and client information; non-delivery of stock or other essential supplies; and possible legal costs associated with defending issues such as IP infringement.
Other even more intangible, but no less important, consequences should also be considered as these ultimately have a financial impact. Brand and consumer trust, for example, is an incredibly important part of being a successful online retailer and can be severely damaged following an incident. A retailer’s reputation can take years to build and, in the age of social media, hours to destroy.
A significant loss of customer data or similar breach can mean that consumers lose confidence in a retailer, taking their business to a more trusted site. Damage can be exacerbated if an incident is poorly handled from a PR perspective.
Although investment in cyber security will not prevent against all eventualities – due to constantly evolving forms of malware and the impending threat of human error – managing digital risks effectively can significantly reduce the impact of cyber incidents.