According to the British Retail Consortium ("BRC"), online retail sales are increasing by around 10-15% each year and cyber-crime is increasing in parallel.
The BRC's Annual Retail Crime Survey 2016 reveals that cyber-crime (such as hacking or data breaches) represents 5% of the total direct cost of crime to retailers each year - which equals a direct financial loss to the industry of around £36 million. Furthermore, around 53% of fraud in the retail industry each year is cyber-enabled - which equals a direct cost of around £100 million. The need for retailers to develop their cyber security protections has never been more pressing.
Some of the most common threats to retailers include fraudsters "phishing" for customers' personal data or "spear-phishing" for company data; hackers breaching company databases to access customer credit card details for criminal transactions; and criminals using "ransomware" to freeze a company's IT systems and demanding a ransom to reinstate access.
In light of the increasing cyber dangers to retailers, the BRC has published a Cyber Security Toolkit for Retailers which provides practical guidance on how to prevent or handle cyber-crime and other forms of online criminal activity. The crux of the advice is that retailers should identify the specific cyber security threats to their business and then develop risk management processes to defend against and/or respond to such threats. Specifically, retailers are encouraged to adopt "a full lifestyle approach to cyber security incident management within the company's overarching information security strategy" and follow the "P-P-R-R-R" steps:
- PREVENT: seek to avoid cyber security breaches such as data breaches altogether by introducing stronger security protections;
- PREPARE: develop a structure and plan to mitigate the impact of potential cyber security breaches;
- RESPOND: convene all relevant parts of the business to implement the incident management plan (including the board who has ultimately responsibility);
- RECOVER: reduce any residual cyber vulnerability and manage any resulting reputational damage; and
- REVIEW: take stock of lessons learnt from previous incidents and incorporate these into the company's overall information security strategy.
All cyber risks have the potential to negatively impact a company's profitability, competitiveness and reputation. Failure to have adequate protections in place to mitigate these risks may also expose a company to claims that it has breached statutory, regulatory or contractual obligations. Therefore, whilst cyber risk is increasing, there are positive steps a retailer can and should be taking to protect itself and its customers.