2014 experienced an “unprecedented” level of cyber attacks on retailers, argues Deloitte, as businesses cannot rival hackers’ sophisticated technology when defending themselves against malicious assault.
This problem is exacerbated by three “thorny” issues, as highlighted in the consultancy’s recent report
Cyber risk in retail: Protecting the retail business to secure tomorrow’s growth. They include:
- The fact that public networks were designed to facilitate information sharing, not build barriers against it.
- Employees and third parties inherently provide the human element of risk.
- Cyber risk and operational performance are often linked; as organizations grow, so do their odds of becoming victims of cyber assault.
“You are in one of the toughest industries in the world—high volumes, razor thin margins, competitive advantages derived through marketing and technology,” Art Coviello, the former Executive Chairman of RSA said in response to the theft of their intellectual property in 2013. “I don't think it's a stretch to suggest that there is a pandemic with respect to retail industry cyber attacks.”
The report then breaks down findings to four key themes, including:
- Compliance is not the minimum threshold for risk management – while compliance is certainly encouraged, the onus is on organizations to remain attentive to their comprehensive cybersecurity needs, including disaster recovery, business continuity, emergency response, etc.
- The re-prioritization of detection and response preparedness – although prevention is ideal, businesses need to be able to pinpoint issues as soon as they occur, and react accordingly. To do so, Deloitte recommends appointing a steadfast “breach czar,” reinforcing relationships with law enforcement, legal teams and PR, rehearsing a devastating hack scenario, and partnering with IT in recovery efforts.
- Share intelligence – considered the “holy grail” of threat management, sharing information, even with competitors, is beneficial for the industry at large. Many times, the private sector identifies risks before government can, so collaboration is critical. At the very least, the report suggests that companies “consider establishing information sharing with partners and suppliers.”
- Cyber risks affect everyone – executives need to be forward-thinking about cybersecurity. They can achieve this through regular meetings with the CIO, tracking relevant metrics, establishing a robust cyber strategy, providing funding for these issues and conducting frequent, multilayered assessments.
“The retail sector may look back on this past year—what some have called the Year of the Retail Breach—as a catalyst for a more risk-focused approach to cyber security,” reported Deloitte.