In the United Kingdom, cyber criminals seem to have dramatically stepped up their efforts against retailers in the last year. According to the law firm RPC, in the last year alone cyber attacks have doubled with massive amounts of personal data stolen from retailers. The rapid and continued advances in information technology have also presented many opportunities for cyber thefts. This is mainly because of so many attack vectors including, online shopping, digital advertising, mobile advertising, and of course insider threats. This is not a positive outlook for the retail industry given that the GDPR is right around the corner and the cost of non-compliance or a data breach is very high.
Jeremy Drew, who is a partner at RPC, has commented: “Retailers are a goldmine of personal data but their high profile nature and sometimes aging complex systems make them a popular target for hackers.” He continued on, “There are so many competing pressures on a retailer’s costs at the moment – NMW rises, rates increases, exchange rate falls, as well as trying to keep ahead of technology improvements – that a proper overhaul of cyber defences can get pushed onto the back burner.”
Due to the fact that in the UK not all data breaches are required to report, the number of attacks may be dramatically under accounted for. In from 2015-2016, there were 19 reported data breaches by retailers. In 2016-2017, there were a reported 38 breaches by retailers in the UK. Now the assumption is that cyber criminals have seemingly stepped up their efforts. The other case is that retailers are being more honest about how often they have security incidents. Jeremy Drew captured the latter possibility in his statement, “No UK retailer wants to be in the position of some public examples who were forced to confirm that it took them nearly a year to close a data security breach.”
Across the Pond: Same Story
In the 2017 Thales Data Threat Report, Retail Edition, that was centered around responses from more than 1,100 security executives, 88% of retailers felt vulnerable to a cyber attack. 19% of respondents stated they had experienced a data breach in the last year, of that 19% a little more than half had reported that had been the victim of a previous breach as well. Such news was alarming to Garrett Bekker who is a principal analyst for information security at 451 Research. Bekker had stated, “Unfortunately, organizations keep spending on the same security solutions that worked for them in the past, but aren’t necessarily the most effective at stopping modern breaches.”
Bekker seems to be on the ball with his analysis. Spending patterns by retail executives in the United States seems to be concentrated on formerly successful solutions. This reflects the risk aversion that comes with private sector organizations, often past performance is used as the indicator of what will succeed in the future. However, when it comes to cyber security this logic actually can expose an organization to more risk.
Retailers are still doing better than healthcare; however, with the coming GDPR which requires disclosure, will the numbers reflect just how vulnerable the retail sector has been? Part of the problem seems to be the adoption of new technologies, but retention of dated security practices. Will the retail sector get their security act together before the GDPR becomes law in May 2018?