Hackers target retail business sector as cyber attack volumes double in just 12 months

The risk of a data breach is increasing in the retail business sector as retailers accumulate more and more personal information on their customers as part of their ongoing Big Data initiatives. As such, the number of retail businesses reporting data breaches to the Information Commissioner’s Office has doubled in just one year, jumping from 19 in 2015-2016 to 38 in 2016-2017. That’s according to law firm RPC.

The rise of online shopping, loyalty programmes, digital marketing and the offering of electronic receipts in store means that even a small multiple retailer will be gathering exactly the kind of data that hackers will be looking for in their bid to commit crime. Consequently, the retail industry is beginning to feel the pressure to invest more heavily in cyber security measures.

The regulatory burden and financial risks involved in a data breach will increase substantially when the EU’s General Data Protection Regulation (GDPR) comes into force in May next year. The rules therein will make reporting breaches mandatory. As companies are not currently required to report every cyber attack from which they suffer, the actual number of data breaches in the retail sector is likely to be even higher.

Jeremy Drew, partner at RPC, commented: “Retailers are a goldmine of personal data. Their high-profile nature and sometimes ageing and complex systems make them a popular target for hackers. There are so many competing pressures on a retailer’s costs at the moment – a rise in the National Minimum Wage, rates increases, exchange rate falls and trying to keep ahead of technology improvements among them – that it’s all-too-easy for a proper overhaul of cyber defences to be pushed to the back burner.

Data breaches are already the second greatest cause of concern for business continuity professionals and, once this new EU legislation comes into force, in turn bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organisations need to make sure they’re aware of the requirements of the GDPR and ensure that their data protection processes are robust enough to meet the new requirements.

Drew added: “As the GDPR threatens a massive increase in fines for those companies that fail to deal with data security, we do expect investment to increase in a bid to stop breaches occurring in the first place and also ensure that, if they do happen, they’re found quickly and contained. No UK retailer wants to be in the position of some public sector operations who were forced to confirm that it took them nearly a year to close a data security breach.”

SMEs remain unprepared for cyber breaches

Nearly all (96%) small to medium-sized enterprises (those companies with anywhere from 100 to 499 employees) in the US, the UK and Australia believe their organisations will be susceptible to external cyber security threats in 2017, suggests a new study by Webroot. Yet, although businesses recognise the growing threats, 71% still admit not being ready to address them.

Cyber Threats to Small and Medium-Sized Businesses in 2017 shows that IT decision-makers at small to medium-sized businesses are most worried about new forms of malware infections (56%), mobile attacks (48%) and phishing attacks (47%). Those decision-makers estimate a cyber attack in which their customer records or critical business data were lost would cost an average of $579,099 in the US, £737,677 in the UK and AU$1,893,363 in Australia.

Nearly two-thirds of IT decision-makers believe it would be more difficult to restore their company’s public image than to restore employee trust and morale.

Addressing the growing threat, 94% of decision-makers plan to increase their annual IT security budget in 2017 when compared to the spend in 2016.

Businesses currently manage IT security in various ways. One-fifth of businesses have in-house employees whose responsibilities include IT security. 37% use a mixture of in-house and outsourced IT security support, while only 23% have a dedicated in-house IT security professional or team.

The current cyber security landscape and lack of preparedness of small to medium-sized businesses represent a big opportunity for managed security providers. Among businesses who don’t currently outsource IT security support, 80% will likely use a third-party cyber security provider at some point this year.

Charlie Tomeo, vice-president of worldwide business sales at Webroot, commented: “This study illustrates the general lack of preparedness for security around the globe. Small to medium-sized businesses face just as many threats as larger ones, but are often at a disadvantage because of their lack of resources. Given the recent spate of high-profile ransomware attacks, it’s crucial for these companies to shore up their security and lean on the expertise of a managed security provider for a solution to combat threats from multiple vectors.”

Close on one million UK SMEs targeted

Almost one-in-six (16%) SMEs have fallen victim to a cyber attack in the last 12 months, equating to more than 875,000 nationwide. That’s according to the findings of a study conducted by Zurich. Businesses in London are the worst affected, with almost a quarter (23%) reporting that they’ve suffered a breach within this period.

The SME Risk Index found that, of those businesses that were affected, more than a fifth (21%) reported that it cost them over £10,000 and one-in-ten (11%) said that it cost more than £50,000.

Yet, despite the volume of attacks and potential losses, the survey of over 1,000 UK SMEs showed that business leaders are not committing to investing significantly in cyber security in the coming year. Almost half (49%) of SMEs admitted that they plan to spend £1,000 or less on their cyber defences in the next 12 months, while almost a quarter (22%) don’t even know how much they will spend.

The results show that, for businesses of all sizes, robustness of cyber security defences is now a genuine concern for winning and maintaining business contracts. A quarter (25%) of medium-sized businesses (those with between 50 and 249 employees) reported that they’ve been directly asked by a current or prospective customer about what cyber security measures they have in place. This was also true of one-in-ten (11%) small businesses (companies less than 50 employees).

As a result, business leaders are reporting that strong cyber security is providing an opportunity to stand out from competitors with as many as one-in-20 (5%) claiming to have gained an advantage over a competitor because of stronger cyber security credentials.

Paul Tombs, head of SME proposition at Zurich, commented: “While recent cyber attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium-sized businesses need to protect themselves as well. The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses. While the rate of attacks on SMEs is troubling, it also shows that there’s an opportunity for businesses with the correct safeguards and procedures in place to leverage this as a strength and gain an advantage.”

About the Author

Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications)

Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting.

In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector.

In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute’s George van Schalkwyk Award.

An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award.

Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site.

Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media.

Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Related Posts