Added to basket
A hang holding lots of shopping bags

Why retail businesses can’t afford to lose sight of the data breach threat

Retailers are targeted by hackers more than any other sector, so what can IT managers in retail businesses do to protect against data breach consequences?

With retailers locked in an arms race to beat their competitors to deploy the latest experience-enhancing tech, there is a risk that security concerns are not being given the priority they deserve.

According to the retail edition of the 2018 Thales data threat report, half of US retailers experienced a data breach in the past year, up from 19 per cent the year before.

In fact, retail is the sector that suffers more data breaches than any other, including financial services and healthcare.

However, the same report found that only 26 per cent of retailers globally say they encrypt cloud-stored data.

Understanding data threats

“While all businesses in the UK are at risk of data theft and fraud, a retail breach could lead to unmitigated reputational damage and the erosion of customer trust at a sector-wide level”, said Rahul Powar, CEO at data-driven cybersecurity company Red Sift.

He continued: “The British Retail Consortium recently called out the worrying trend towards criminals zoning in on organisations that store or transmit customers’ personal information and payment data, so it’s difficult to conceive of a more vulnerable target than the retail sector and its customers.”

This sentiment was echoed by John Tsopanis of data management consultancy Exonar. He said: “Relatively speaking, retailers don’t currently spend much on security, which is a real problem, as the data they collect is just as detailed as that collected by banks, who obviously take the threat very seriously.”

So, given the challenge of under-investment, what can IT managers do to help protect against the rising threat of cybercrime? 

Education and awareness

For Rahul Powar, security blind spots often result from a lack of real understanding of the risks among senior decisionmakers. He said: “IT managers will often opt for more layers of security in order to plug any potential gaps of penetration, while board-level execs will always look to ways of optimising the customer experience, which will, of course, ensure healthy profits. But today, data security is as important as customer satisfaction, especially given the cost of UK retail cybercrime amounts to more than £300m per year.

“The reason why some board-level employees show a lack of buy-in to new IT security projects is that they simply don't have the technical understanding to extrapolate what a breach in defences could mean to the bottom line. Education and awareness and employing c-level execs with technical backgrounds are a crucial step forward to breaching the divide between the two sides.”

Practical steps

So what measures should retailers be putting in place to keep their data safe?

The key, according to Mark Lomas, solutions architect at IT services provider Probrand, is to consider the end-to-end journey data takes and ensure that appropriate measures are in place at every stage along the way.

He said: “Under the framework introduced by GDPR, if a retailer is collecting customer data, then they are responsible for safeguarding that data from that point onwards, so it’s vital to think about how it is captured, transferred and stored.

“If the data is held at the point-of-sale terminal, its security must be considered – is access to the data secured somehow, whether by access card or password?

“Next, good encrypted communications between the point of collection and the data centre or server is vital in preventing information being intercepted. 

“The last and arguably the biggest concern is where is the data being stored or processed? Is it in a cloud, a data centre or on the premises? If you’re storing data in any way, it’s critical that it is encrypted or protected effectively – not only because it’s mandated under GDPR, but because this is where it is most vulnerable to hackers.

“For retailers, the risk of a leak means that more is required than the basics of cyber security, which every business should be following – in other words, keeping systems up to date and installing good anti-malware and firewalls. It’s important too to control who within the organisation has access to the data, and that the level of access they have is monitored.

“It shouldn’t be easy for them to simply download or screengrab large amounts of information, and the whole system should be designed with data leakage prevention in mind.

“Simply putting a policy in place is not enough, as this still relies on people to act accordingly – you have to be certain that effective guards are put in place.”

According to Rahul Powar, phishing attacks, where a hacker gains access to data by posing as a trusted contact in order to obtain login details, are a key concern, but one that can be easily mitigated by retailers: “Phishing attacks are considered as the top threat facing retailers, and there are straightforward fixes that can deter these types of attacks. 

“By implementing the foundations of email security such as critical protocols including Sender Policy Framework
(SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC), retailers can protect themselves and their customers from email fraud via domain impersonation and deter phishing attacks and the subsequent loss of data.”

Mitigating the impact of a data breach

For John Tsopanis, one strategy that can allow retailers to significantly increase their level of cyber security without high levels of investment is data segmentation. He said: “Ten years ago, a medium-sized retailer might have had a database containing the names and addresses of a few thousand people.

“Today, the amount of information collected is much larger and more detailed, and so the potential impact of a breach is bigger.

“The amount of information retailers are gathering continues to grow rapidly. In the US, Target has recently filed a patent for installing microphones in its trollies, illustrating just how keen they are to collect all the information they can to deliver a more personal experience.

“These data sets can no longer sit in a single repository. Instead, by splitting data up into physically separated records, for example by dividing up the country geographically and storing the data for each region separately, the potential impact of any breach can be contained. Creating individual data subsets for specific targeted marketing campaigns will also help.

“Greater segmentation of customer data is the only way those collecting it are going to be able to protect themselves against the risk of very serious breaches without spending millions of pounds on cutting-edge security systems.”

Investing for growth

According to Mark Lomas, IT managers shouldn’t just look to make board-level executives aware of the risks that can be mitigated by investing in security measures, but also present the potential positives.

He said: “Many senior executives currently see investment in security systems purely as a necessary evil rather than an investment in growing the business when actually, it can be. Just as a security breach can do damage to a brand’s reputation, demonstrating that security is your highest priority as a business can help you win business.

“It’s an issue of trust. As a customer, you’re much more likely to surrender your credit card details and make a purchase if the seller can show they are secure, for example by displaying accreditations and certificates from reputable independent security schemes. Cyber Essentials, ISO 27001 and the Payment Card Industry Data Security Standard are good examples.

“Fostering this trust among customers can help you bring in more business, as people are increasingly thinking carefully about who they hand over their details to. This is particularly the case for smaller or independent retailers who perhaps won’t have the same assumed trust that, rightly or wrongly, is still largely enjoyed by the biggest players in the market.”

Read advice from two IT industry experts on how to keep your company’s data secure.


By submitting your details and clicking the subscribe button, you are consenting to receive information related to Brother services, products, marketing and other business related matters.

You can withdraw your consent at any time. The personal information you provide will be used in accordance with our Privacy Policy and Cookie Policy which are available here.

More from Retail

Related posts

Back to top