Industry

Retail

Secure omni-channel and e-commerce platforms, protect customer data, maintain trust in online transactions and secure API environments.

Introduction

Amid the rapid expansion of e-commerce, cyber threat actors have honed in on retailer’s most prized targets, payment details and transaction data. At the same time, a dynamic landscape is introducing new technologies and platforms, gradually replacing traditional point of sale (POS) systems and devices.

To navigate this shifting terrain securely, organisations must embrace a trio of imperatives: regular product security assessments, an acute awareness of evolving regulations, and the formulation of enduring security strategies.

Industry Overview

The COVID-19 pandemic ushered in a new digital age for UK retail and accelerated investment in customer experience (CX) technology, to meet rapidly changing consumer needs. In parallel, the rapid growth of e-commerce and digital marketing has seen an increase in cyber threats against retail businesses.

With more than £441 billion of total UK retail sales in 2022 and 27% of this figure now being spent online, the risk of cyber attacks on supply chains, payment systems and associated infrastructure, has never been greater.

Security breaches continue to pose a significant threat to retailers. With cybercriminals targeting leading UK retailers, it’s clear that there’s significantly more to be done to mitigate cyber attacks in the retail sector.

The complexity of securing an organisation’s IT infrastructure often stems from the fact that it has been developed over several years, with technologies layered one on top of another. It’s not uncommon for one retailer alone to have built their business on multi-cloud Infrastructure as a Service (IaaS) environments, with the addition of multiple Software as a Service (SaaS) applications. This can lead to limited visibility, increased vulnerabilities and challenging IT environments. Often, retail organisations are also struggling with a lack of in-house skills and the expertise to secure their rapidly evolving IT estate.

With a clear divide between retail organisations “born in the cloud” and traditional bricks and mortar companies embarking on their own digital transformation journey, the cybersecurity challenges retailers face are significant.

Market Trends & Statistics

With access to customer data, including PII, credit card information, and purchasing history, retailers have always been in the cross-hairs of cybercriminals. According to Verizon’s 2023 Data Breach Report (DBR), the retail industry experienced 629 incidents in 2023, out of which 241 were confirmed data breaches. The main motive of these incidents was to steal customer data for financial gain.

According to Verizon’s DBIR, when it comes to how these data breaches and incidents occur, it is a roundup of the usual suspects, with both ransomware and the use of stolen credentials among the top, along with email and web applications.

At its core, the challenge retailers are facing as they embrace the latest data-driven technologies to boost productivity and enhance the customer experience, is an exponentially expanding threat surface. Rather than securing money or physical goods from a store or warehouse, retailers must now prevent cybercriminals from stealing information, especially the valuable cardholder data that flows between consumers and retailers.

It’s not just external threats that retailers face. Insider threats in retail are also rising. Recent statistics indicate that 30 percent of Chief Information Security Officers (CISOs) worldwide find insider threats to be a significant risk to their organisation’s cybersecurity. Employees are often said to be an organisation’s first line of defence against cyber attacks, but also their weakest link.

Point-of-sale (POS) systems are also an increasingly popular point of attack for acquiring transaction data, giving cybercriminals immediate access to valuable information such as card numbers and personal identification numbers.

Whether an attack is simple or sophisticated, the results can be disastrous. Retailers today must understand the potential threats, and take aggressive action to protect themselves and their customers from harm.

Challenges & Opportunities

A recent Gartner study concluded that the main priorities of retail enterprises are: growth (35%), customer/user experience (27%) and technology modernisation (20%). To compete in an increasingly cutthroat marketplace, retailers are spending huge budgets in the hope of becoming household names. Brand recognition is a double-edged sword when it comes to cybersecurity. The more well-known a brand becomes, the greater the interest from cybercriminals.

The growth in e-commerce and digital retail, driven in large part by consumers moving online during the pandemic and subsequent changes in long-term shopping habits, has rewarded retailers with an agile and digital-first approach to their IT environment. However, cybercriminals have also shifted their focus to capitalise on the increase in online transactions.

Several cybercriminal groups dubbed Magecart, have successfully deployed a range of ‘skimming’ attacks to remove customer and payment data from online transactions, often via compromised online shopping baskets, checkout systems and credit card processing pages. Several of the world’s most well-known retail brands have fallen victim to these attacks, which Verizon’s DBR estimates are responsible for 18% of all retail cyber breaches. Cybercriminals are also using similar approaches to target customer loyalty programs and reward schemes, often with the aim of selling reward points on dark web marketplaces.

Regulations & Compliance

The retail industry is subject to a variety of regulations that govern the collection, use and protection of personal information. Compliance with these regulations is crucial for retail stores to maintain their customers’ trust and avoid potential legal, financial and reputational consequences. Some of the key regulations that apply to the retail industry include the following:

The global standard for data security as set out by the Payment Card Industry Security Standards Council. These data security standards have been adopted by all leading payment card issuers and govern how companies carrying out card payment transactions use and protect payment information. These standards cover how payment card data is collected, stored, transmitted and authenticated. The standards are regularly updated and all retailers accepting card payments must comply with the most recent standards.

The General Data Protection Regulation (GDPR) is a landmark piece of legislation that governs how organisations collect, store and use personal data of individuals. Enforced by the Information Commissioner’s Office (ICO) in the United Kingdom, fines for non-compliance of GDPR can be significant – ranging up to 4% of an organisation’s turnover or £17.5m. Large retail organisations have been subject to large penalties for GDPR non-compliance, including one large retailer where a technical error exposed sensitive personal data stored on the organisation’s network to all employees in the company.

Cyber Essentials is a Government-backed scheme that aims to help organisations protect themselves against the most common cyber attacks and demonstrate their commitment to cybersecurity. With two levels of certification – Cyber Essentials and Cyber Essentials Plus – the scheme provides a range of support for all sizes of organisation. With Cyber Essentials, a self-assessment scheme, organisations can minimise common vulnerabilities to basic attacks and provide mitigating steps to some of the most common cybersecurity threats. Cyber Essentials Plus includes hands-on technical verification and provides a more robust framework for developing an organisation’s cybersecurity posture.

Looking for cybersecurity peace of mind?

Conclusion

In a rapidly changing retail environment, cyber threats continue to grow exponentially. Holding significant repositories of customer and payment data while protecting against fraud and malicious activity, UK retailers must be prepared for the worst and have a clearly defined cybersecurity strategy acknowledged by their boards. In addition, as new supply chains and sales channels emerge, keeping on top of emerging threats and solutions becomes key.

BlueFort is the UK’s leading independent Security Solutions Partner (SSP). Using our unique combination of people and technology, we help retailers simplify their cybersecurity journey, optimise their IT environment and protect their most valuable data.

Designed to face the reality of modern cybersecurity, BlueFort’s standards-based framework of Continuous Discovery, Validation and Control, helps retail organisations ensure their security environments are fit for purpose by prioritising assessment, consolidation and optimisation.

We give you access to industry experts who have gone through the vetting, testing and curation of exciting new technologies to help you cut through the noise of the cybersecurity market, and deliver proactive cyber market research and enhanced support.

See how BlueFort can help you simplify your cybersecurity

How we helped Boden with a challenge that faced them in this industry

Lack of visibility to devices accessing the network, which may be vulnerable due to a lack of proper security controls or may be infected with malware, had the potential to put Boden’s entire IT infrastructure at risk.

Related Resources

Whitepaper

Use Case

External Attack Surface Management (EASM)

Cyber Threat Intelligence (CTI)

Data Security

Continuous Threat Exposure Management (CTEM)

Optimised SIEM

Cloud Security Posture Management (CSPM)

Zero Trust / IAM

Industries

BlueFort Evolve

Security Assessments

Consulting

Cybersecurity Support

Company

Why Choose BlueFort?

Our Approach

Meet The Team

Careers

Events & Webinars

Content Library

The Modern MFA Capabilities NHS Organisations must prioritise to meet the New NHS England Requirements