1. Home Brother
  2. Business Solutions
  3. Insights hub
  4. Blog
  5. Retail
  6. Why retail businesses can’t afford to lose sight of the data breach threat
Illustrated image of three characters with a credit card, key and lock near a computer

Why retail businesses can’t afford to lose sight of the data breach threat

Retailers are targeted by hackers more than any other sector, so what can IT managers in retail businesses do to protect against data breach consequences?

With retailers locked in an arms race to beat their competitors to deploy the latest experience-enhancing tech, there is a risk that security concerns are not being given the priority they deserve

According to the retail edition of the 2022 Thales data threat report, 45% of US retailers said that the severity and/or scope of cyberattacks had increased in the previous 12 months and more than half (55%) have been the victim of a data breach at some point.

In fact, retail is the sector that suffers more data breaches than any other, including financial services and healthcare.

What are the security challenges in the retail industry?

“While all businesses in the UK are at risk of data theft and fraud, a retail breach could lead to unmitigated reputational damage and the erosion of customer trust at a sector-wide level”, said Rahul Powar, CEO at data-driven cybersecurity company Red Sift.

He continued: “The British Retail Consortium have called out the worrying trend towards criminals zoning in on organisations that store or transmit customers’ personal information and payment data, so it’s difficult to conceive of a more vulnerable target than the retail sector and its customers.”

So, given the challenge of under-investment, what can IT managers do to boost data protection, raise security awareness, and help mitigate the rising threat of cybercrime? 

Education and awareness

For Rahul Powar, security blind spots often result from a lack of real understanding of the risks among senior decision makers. He said: “IT managers will often opt for more layers of security in order to plug any potential gaps of penetration, while board-level execs will always look to ways of optimising the customer experience, which will, of course, ensure healthy profits. But today, data security is as important as customer satisfaction, especially given the cost of UK retail cybercrime amounts to more than £300m per year.

“The reason why some board-level employees show a lack of buy-in to new IT security projects is that they simply don't have the technical understanding to extrapolate what a breach in defences could mean to the bottom line. Education and awareness and employing c-level execs with technical backgrounds are a crucial step forward to breaching the divide between the two sides.”

Practical steps

So, what measures should retailers be putting in place to keep their data safe?

The key, according to Mark Lomas, solutions architect at IT services provider Probrand, is to consider the end-to-end journey data takes and ensure that appropriate measures are in place at every stage along the way.

He said: “Under the framework introduced by GDPR, if a retailer is collecting customer data, then they are responsible for safeguarding that data from that point onwards, so it’s vital to think about how it is captured, transferred and stored.

“If the data is held at the point-of-sale terminal, its security must be considered – is access to the data secured somehow, whether by access card or password?

“Next, good encrypted communications between the point of collection and the data centre or server is vital in preventing information being intercepted. 

“The last and arguably the biggest concern is where is the data being stored or processed? Is it in a cloud, a data centre or on the premises? If you’re storing data in any way, it’s critical that it is encrypted or protected effectively – not only because it’s mandated under GDPR, but because this is where it is most vulnerable to hackers.

“For retailers, the risk of a leak means that more is required than the basics of cyber security, which every business should be following – in other words, keeping systems up to date and installing good anti-malware and firewalls. It’s important too to control who within the organisation has access to the data, and that the level of access they have is monitored.

“It shouldn’t be easy for them to simply download or screengrab large amounts of information, and the whole system should be designed with data leakage prevention in mind.

“Simply putting a policy in place is not enough, as this still relies on people to act accordingly – you have to be certain that effective guards are put in place.”

According to Rahul Powar, phishing attacks - where a hacker gains access to data by posing as a trusted contact in order to obtain login details - are a key concern, but one that can be easily mitigated by retailers: “Phishing attacks are considered as the top threat facing retailers, and there are straightforward fixes that can deter these types of attacks. 

“By implementing the foundations of email security such as critical protocols including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC), retailers can protect themselves and their customers from email fraud via domain impersonation and deter phishing attacks and the subsequent loss of data.”

Investing for growth

According to Mark Lomas, IT managers shouldn’t just look to make board-level executives aware of the risks that can be mitigated by investing in security measures, but also present the potential positives. 

He said: “Many senior executives currently see investment in security systems purely as a necessary evil rather than an investment in growing the business when actually, it can be. Just as a security breach can do damage to a brand’s reputation, demonstrating that security is your highest priority as a business can help you win business. 

“It’s an issue of trust. As a customer, you’re much more likely to surrender your credit card details and make a purchase if the seller can show they are secure, for example by displaying accreditations and certificates from reputable independent security schemes. Cyber Essentials, ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS) are good examples. 

“Fostering this trust among customers can help you bring in more business, as people are increasingly thinking carefully about who they hand over their details to. This is particularly the case for smaller or independent retailers who perhaps won’t have the same assumed trust that, rightly or wrongly, is still largely enjoyed by the biggest players in the market.”

Read advice from two IT industry experts on how to keep your company’s data secure.

More from Retail

Related posts

Back to top