Ever-more sophisticated cyber-attacks pose a greater and greater threat to fashion retail businesses. Drapers learns what retailers need to do to fight back.
So far this year, US department stores Macy’s and Saks Fifth Avenue have had customer data stolen by hackers, and sportswear giants Adidas and Under Armour have also been targeted. Closer to home, electronics group Dixons Carphone, the owner of The Carphone Warehouse and Currys PC World, announced last month that 10 million users may have had their data accessed in a security breach that took place last year.
Smaller businesses also struggle to combat the danger from cyber-attacks. Earlier this month UK ecommerce provider Fashion Nexus, which has worked with fashion brands AX Paris, Chi Chi London and Motel, was subject to a hack that accessed 640,000 customer records.
“Our experience with this as a small company has been extremely stressful and unsettling,” said Rob Sherwood, director of Fashion Nexus, at the time. “As a small business with limited resource and funding, we had put in place security measures. Somehow, this wasn’t sufficient to prevent an attack.”
The threat is constantly evolving, and, alongside data breaches, retailers and the companies they work with also face attacks that aim to disrupt services they provide to customers – slowing down websites or knocking out logistics systems.
Figures from the Business Continuity Institute show that 53% of UK businesses now consider a cyber-attack to be the main threat facing them in the future, and analysis from property agent Savoy Stewart shows the retail sector increased its investment in cyber-security by 21% in 2017/18 compared with 2016/17.
Drapers speaks to the experts to understand how the threat is evolving, and to find out how retailers can protect themselves, and their customers, against attacks.
Dave Palmer – Director of technology at cyber-defense artificial intelligence company Darktrace
Businesses have become so massively complex and interconnected that it is important to realise that it’s basically impossible to imagine everything that might go wrong.
While there is maybe a short-term brand issue of losing customer details, most businesses manage to shrug that off fairly quickly, and it doesn’t disrupt their share price long term. If you have a long-term disruption to systems and you can’t sell, or customers have a terrible experience, then that’s far more likely to have a long-term impact on your relationship with your customers and, potentially, your share price.
If I were running a retail organisation, the most important thing would be that we can could sell every day, and a customer was never unable to buy something. People will remember that for much longer than lost credit card details. That’s a big shift – something we wouldn’t have been saying a few years ago.
The cutting-edge approach for detecting attacks now is moving into developing an understanding of what is normal in the business and its processes, and spotting strange and unusual activity before it evolves into something more serious.
For smaller businesses, there will be a trend of people moving away from managing technology themselves and using a service or cloud provider for their digital systems and security. This is a good idea, as typically the running becomes less expensive, and the provider takes care of all the technology aspects, so the retailer can just focus on content and customer experience.
James Rashleigh – Retail cyber-security partner at PwC
One key vulnerability retailers face is around data. Retailers are all struggling with how to control the volume of data they are collecting and how to make sure they store that data in a secure way.
The next vulnerability is around access – specifically, who has access to where customer data is stored, and who has privileged access, which gives access to key systems. Those accounts are something that attackers generally target.
“Hygiene” in security is also important. This generally means ensuring security systems are patched and up to date, as hackers will target out-of-date systems and known vulnerabilities.
However, there are old systems that are difficult to patch and expensive to replace. Are retailers going to replace all those systems in the next five months? Probably not. Can they make sure those systems are monitored and they know what the gaps are? Yes.
Monitoring is difficult in complex estates. Attacks and breaches will not always be obvious. The point it becomes obvious is when customer data is being picked up in the external environment. Often breaches are detected because someone has found customer data relating to that retailer on the dark web or on other hacker forums or the open internet.
It is inevitable that retailers will suffer a security breach at some point. How big or how nasty it is will vary. Businesses should make sure they are ready to respond to an incident. Do they know exactly how they will respond, what they will be telling the information commissioner, what they will tell their customers and how they will do the investigation.
This should be treated as the biggest risk a retailer faces. The biggest thing is to understand where they are storing their customer data, and to be confident they have a very clear view of where customer data is in their estate, and how they can protect it.
Neil Innes – Chief technology officer at ecommerce provider Visualsoft
One key threat for retailers are DDOS threats – that’s a distributed denial of service, where the cyber-criminal floods a website with “fake” traffic under the guise of actual traffic. The purpose is to overload the website-hosting infrastructure to bring the website to a crawl or take it offline entirely. These are usually tied to an extortion email asking for [digital cryptocurrency] bitcoins.
They happen as a result of retailers not keeping software up to date or not having a strong enough view on security, be it tech, application or social based. It is important to always update software when security patches are available, invest in DDOS mitigation systems and pen testing (penetration testing). This is where you evaluate the security of a technical infrastructure against vulnerabilities from cyber-attacks. It is important to ensure computer processes cover security requirements and review them regularly.
Paul Leybourne – Head of sales at network service provider Vodat International
The main things retailers can do to protect themselves from hacking are based around making sure they have the right levels of security across the estate. Retail is notoriously bad at investing in IT infrastructure. Most of the investment from retailers is around driving sales as opposed to looking at the IT infrastructure, and that makes them vulnerable.
It really is about having the right, up-to-date levels of security, with firewalls and anti-virus software. Those make it difficult for anybody to get into the network, but also prohibits anyone getting out of the network to any places where they shouldn’t be.
There are lots of ways people can get into a network. For example, most retailers have wi-fii in stores or offices, and people use that on handheld devices or their own connected devices. This all leaves vulnerabilities in the network as a way for people to get into the network of a business. The more “connected” a business is, the more susceptible it may be to an attack. Without the right levels of security there they are leaving the corporate network quite vulnerable.
Some retailers use two separate networks – they have their own corporate network and then they will have separate internet-facing connectivity that the customers to use in store to keep them away from the corporate network.
You can also have one network but segregate the traffic within that. One channel allows corporate and store devices and the other is limited to the customers. If a customer is using a mobile device to browse in-store then it does not touch the corporate network.
Lots of the necessary security is around sharing information and passwords. It’s about protecting customer details, protecting any of the services that you’re using. There’s not an instant fix to stop people getting into your network, but you can help by applying the right security settings.
- Patch and update all software and firmware, use antivirus software and firewalls, and regularly update devices and apps.
- When sending sensitive data on the move, do not connect to public wi-fi hotspots. Use 3G, 4G or a VPN (virtual private network).
- Control who has access to removable media (USB sticks, SD cards etc). Encourage transferring files online instead, via GoogleDrive, WeTransfer or similar.
- Make backing up computer storage a regular part of your business, and make sure the device containing your backed-up data is not permanently connected to the network.
- Do not enforce regular password changes – they only need to be changed when you suspect a compromise.
- Configure [employer-supplied] mobile devices so they can be tracked, remotely wiped or remotely locked if they are stolen.
- Use two-factor authentication for important websites (such as banking or data storage). This means you need a password and an authentication code that may be sent via text or email.