‘It's not a matter of when a cyberattack happens, but how much damage it causes’

If I told you that 60% of your physical stores could be attacked at any moment, how would you respond? And would you read on?

If you’ve made it this far, that’s a relief. Now, why should that be any different for your online retail estate where, for many retailers, the majority of their customer transactions occur?

I’m of course interested to know how my quarterly columns resonate with the Retail Week audience and was interested to hear that last year’s cybersecurity-focused piece was the ‘quietest’ of mine last year, at a time when the retail industry is being actively targeted by cybercriminals.

A Sophos white paper last autumn reported a dramatic increase in the level of attacks against the industry, asserting that 77% of retail organisations were hit by ransomware in 2021, up from 44% in 2020.

It is now no longer a matter of when or if the attack happens, but how much damage it could cause and whether the organisation can survive.

Organisations correctly spend considerable resources on increasing security to reduce the likelihood and impact of an attack by implementing protective and reactive controls, such as patching, configuration management and security operations centres. They will have a significant impact on reducing the level of risk but will never eliminate that risk entirely.

Press and popular opinion suggest that cybersecurity breaches can result in huge, and sometimes irrecoverable, reputational damage. Therefore, without proper response and recovery plans, a company’s chance of survival is lower.

Organisations still fear disclosing such breaches, because being open and honest exposes them to reputational impact. Yet the stark reality is that consumers and the media are increasingly likely to find out about a breach. The attackers themselves may even disclose it for greater impact.

Besides potentially being illegal, denying a breach, trying to minimise the impact, or communicating in complex and evasive language is doomed to failure.

“A sound response will enable organisations to survive and could yield positive outcomes for well-prepared retailers”

When organisations retract or update statements, or when other sources provide contradictory information, it reduces trust in an already damaged brand.

Customers need to know – and most importantly trust – that you understand the impact on them and are working hard to resolve it.

So what do you do? A sound response will enable organisations to survive and could yield positive outcomes for well-prepared retailers.

• Plan: What would your organisation do in the first hour, day, week and month of an attack and the recovery? Not just the technical requirements, but how do you limit harm? How do you communicate with staff, third parties, the authorities and, most importantly, the customers and those directly impacted? Who will lead this communication effort?
• Rehearse: Releasing negative news is very difficult and uncomfortable, but it is a learnt skill. Human nature and the fear of repercussions tend to make us minimise the event and respond aggressively to challenges.
• Communicate: However good your media and executive team are, they need to deliver a press release that is clear, honest and helpful. Your spokespeople need to practise looking into the lens of a camera, communicating clearly and showing empathy. It is better to have the awkward experience of getting it wrong in the rehearsal than during a real incident.

Customer service teams must be trained in how to deal with scared and angry customers, too. How do you tell them that you’re very sorry, but you can’t deliver the product or take the order while retaining their loyalty at the same time? The skill is honest communication – another learnt skill that benefits from practice.

Planning for a serious incident and the recovery isn’t cheap. It will likely require specialist external support and time from the executive, technical, operational and customer support teams. It needs to be updated and rehearsed regularly.

In the heat of an incident, all that can make the difference between an organisation that is seen as the victim of crime, that took it seriously, went the extra mile to protect customers and will recover, versus one that has poor security, tried to hide it and allowed customers to suffer.

If you’ve now read this far, it will be actions that speak louder than words.