The digital revolution in retail is well and truly underway. Not only are more people shopping on the web – global e-commerce sales doubled between 2014 and 2019 – but the backend processes and systems that make retail businesses run have moved online as well.
This shift has transformed the customer experience, making it possible for people to buy what they want, when they want, where they want. It has also helped retailers cut operating costs, scale rapidly and be more agile.
But there’s a downside. Because transactions are increasingly being conducted online, and data is being stored in the cloud, retailers have become more vulnerable to cyber-attacks.
“There’s no doubt that the shift to digital is driving a whole range of network vulnerabilities,” said John Tait, Global Managing Director, Payments Market at TNS.
“We’re opening up the edges of networks more, which means there’s more opportunity and vulnerability points being exposed, and the number of attacks we’re seeing across retail continues to increase.”
And while the level of sophistication of retail security systems has improved over the years, it’s not where it needs to be, according to Tait.
“Cyber criminals are extremely well organised and they’re operating at a level which is over and above the general retail capability,” he said.
The damage from an attack can be significant. If fraudsters get a hold of company data, they often demand payment to release it.
“The short to medium-term impact is loss of brand integrity with customers,” said Tait. “That obviously has an impact on a retailer’s ability to continue to trade successfully at the levels they once did. But on a more quantifiable level, there’s a financial impact and a business continuity impact.”
Cyber criminals often threaten to release data publicly unless they receive payment, and if they believe the company is not going to pay, they might interfere with the organisation’s ability to operate as proof of their malicious intent.
The top three security risks in retail
While retail has become more vulnerable to cyber-attacks due to digitisation, the human element presents the biggest risk, according to Tait.
“Fundamentally, the three biggest security risks in retail are employees, phishing scams and supply chain attacks,” he said.
- Employees
“Retailers typically employ staff at the front end of their business because they’re very good at customer service, business relationships, consumer relationships, and ultimately generating sales and supporting the objectives of growing the business. What they’re not trained in is security best practices,” said Tait.
“Employees are typically the biggest threat because – unfortunately – they are the weakest link in the chain.”
The key reason is that store staff have the most access to company devices and networks, so they are often targeted by scammers hoping to trick someone into granting them access to an internal system.
However, it’s not always the case that employees inadvertently do the wrong thing. Some employees might deliberately leak sensitive information to outside parties for malicious purposes.
“We would describe this as fraudulent activity,” Tait noted.
- Phishing scams
Following on from the risk posed by employees, phishing scams continue to be a major liability for retailers.
“Sophisticated actors target employees to compromise their credentials and get access to data and networks to then compromise the integrity of those systems,” Tait said.
Typically, a scammer will send instructions for an employee to follow, and the employee – thinking they’re doing the right thing – will inadvertently enable them to place malware on an unpatched system, or perform some other act, that gives them access to privileged data and information.
- Supply chain attacks
“As retailers allow remote access to their store network, they become more vulnerable to hacks and intrusion from third and fourth parties,” said Tait.
“It can be as simple as access to CCTV networks and cameras through to systems and network monitoring tools.”
How TNS can help
While cyber criminals will always exist, retailers can take steps to protect their business by transferring sensitive payment data, via secure networks.
“When you go online to a website and buy a pair of shoes – that transaction is often sent over the public internet to the bank. The transaction is encrypted, but it’s not necessarily a secure gateway,” Tait said.
In comparison, TNS processes e-commerce and store transactions over a private cloud. It subscribes to and is compliant and certified with PCI DSS, the highest level of security for data protection in the world.
“The customer experience is changing rapidly, and digital transformation is enabling the opportunity for cyber threats to increase, which means the focus on cyber security needs to be elevated within the list of retailers’ priorities,” Tait said.
“And in looking at options to protect their brands and integrity of data, specialist managed service providers that do this complex work at scale present a reasonable option as opposed to trying to manage it in-house.”
