In a digital-first environment, retailers cannot afford to overlook any kind of cyber threat, says AlixPartners managing director Brian Kalms

Cybersecurity padlock illustration

When Tesco disclosed in its 2022 annual report that it had carried out a cyberattack stress test it sent a message to other businesses – are you really resilient enough to withstand a security breach?

Tesco found that a breach could cost it up to £2.4bn in fines and compromise the data of its 20 million Clubcard members, not to mention the additional costs to respond and recover, and loss of revenues through disruption.

Expanded attack surface

As we approach October – also dubbed Cybersecurity Awareness Month – little has changed in respect of retailers continuing to be an attractive target for cybercriminals. 

They seek access to the rich data businesses store, transmit and collect across large, complex, heterogeneous IT networks in disparate locations.

Today, when digital channels are increasingly the primary route to market, along with the adoption of cloud technologies, a long and complex interconnected supply chain, and a remote workforce, retailers have rapidly expanded their attack surface – that is, the various points at which a cybercriminal could attempt to access or manipulate data. 

Customer data remains an attractive target for hackers, but many are increasing their advanced persistent threat (APT) activity whereby they access an organisation’s system but remain dormant.

“Many retail businesses suffer from sustained underinvestment in technology, which brings inherent security vulnerabilities”

If a cybersecurity team were able to identify a threat, APT or otherwise, do they have the requisite skills and capabilities to monitor and move in on the cybercriminals? 

Many retail businesses suffer from sustained underinvestment in technology, which brings inherent security vulnerabilities. 

Outside of the more sensitive industries such as aerospace, defence and financial services, many organisations have an inadequate approach to cyber monitoring — even those of modest sophistication fall short.

Retailers must assess their unique risk appetite. Which of the following questions apply?  

If hackers target my business, how might they cause detrimental disruption and what is the impact? 

For a retailer, this might be interfering with its supply chain or turning off refrigeration units in a grocery store. If this happened overnight and the stock was spoiled, would you detect it before you sold the stock?  

What is there that is worth stealing and what is the impact? 

We already know customer personally identifiable information (PII) and payment data are important. Some organisations will also be concerned about very specific data – for example, prices in next month’s sales, remuneration or strategic information.

How can a hacker embarrass my business? 

Cyber attacks pose a reputation risk and can impact the share price of listed businesses and customer confidence. 

In some cases, a disorganised response to an incident can cause more reputation damage than the attack itself. This is a question for the board rather than technical teams. 

Have we done everything we reasonably can to mitigate the risk and protect customers and staff? 

Answers to all of these questions must come in addition to ensuring that baseline controls are in place and tested. 

All retailers need to raise the bar so attackers will choose easier targets, or so that attacks will be detected early and blocked. 

If the attack surface can be minimised and appropriate permitter controls put in place – change management, user authentication, vulnerability management and monitoring, as well as preparing to manage attacks and incidents when they occur – the bigger questions can be answered with much greater confidence and success.

  • Get the latest tech insight and inspiration straight to your inbox – sign up for our weekly newsletter