With the onset of the holiday season getting earlier and earlier, we are now getting close to the time when the online stores prepare for arguably the busiest times of year. Last year, we looked at the impact of poor security from a consumer perspective via our “consumer trust” survey and gave some top tips to help stay safe online. This year, we are looking at it from the retailer’s perspective. Recent research suggests that the retail sector is among one of the most targeted vertical for attacks and, with one of the busiest trading periods of the year upon us, it makes sense that both consumers and retailers are diligent in terms of data security.

What can retailers (especially those with an online presence) do to stay secure?

Well, there is no one quick fix that will ensure against a breach. As with all businesses that handle sensitive data, a layered and balanced approach is required. This needs to be wrapped up in a thorough and well communicated plan so that, should the worse happen and a breach occur, the impact can be kept to a minimum and business continuity maintained.

What should a layered approach to risk management involve?

First and foremost, it is critical that businesses are fully aware of their risk profiles and what data is stored and used where. A risk insight service can help achieve this as it discovers and evaluates a business’s current risk profile against agreed metrics and proposes a prioritised list of activities to address any identified vulnerabilities. This might involve a blend of technology and processes that help prevent an attack being successful (such as anti-virus), along with other technology and techniques that identify advanced threats that may reach critical systems (such as sandboxing) and a defined plan of action to eliminate identified risks once found, or once systems are compromised.

It is vital that those with an online retail presence take all reasonable steps to insure data integrity is maintained. This includes ensuring only those who require the data have access to it (enforcing appropriate data privileges for example) and enforce good practices for data management. Whilst there are likely to be dedicated teams in place to ensure IT systems remain secure and up to date with the latest security patches, maintaining standards, good practice and vigilance should be seen as collective responsibility and this culture should be encouraged throughout the organisation. At the most basic level, this could be in the form of ongoing training and awareness education.

Business continuity is vital – but don’t forget your customers

It is equally important that a well-rounded plan is put into place should a breach happen – both in terms of closing the vulnerability as quickly as possible and secondly to ensure those impacted are made fully aware and offered guidance on what to do next. So often we are seeing household names that suffer a breach, take steps to address it, but fall short on communicating what is happening and when to their customers. A well formulated incident response plan not only addresses the immediate issue, but it also seeks to inform all relevant parties on what has happened and what they need to do next. This is vital for both business continuity and minimising the impact to customers, perhaps also minimising brand damage and maintaining a level of good will or trust as highlighted in the Risk:Value report conducted earlier in the year.

Cyber risk is for life… not just for Christmas

Whilst seasonal trading might result in a spike of targeted attacks and breaches, it is important to remember that in a connected, global economy, attack vectors and cyber threats are present 24 hours a day, every day of the year. As a result, it is crucial that a balanced and well communicated approach to cybersecurity is established and maintained at all times, and these top tips may help you to beat the Christmas rush and minimise your risks all year round… Happy Holidays!!

Top tips to help mitigate cyber risks

  • Understand your risk– conduct an annual risk insight to understand the current risk exposure and to keep the board engaged with cyber risk.
  • Secure configuration– keep hardware and software protections up to date. Stay on top of basic protection.
  • Educate and train employees – ensure they know company policies and incident response processes.
  • Incident response – establish, produce and routinely test and communicate incident management plans.
  • Monitoring – continuously monitor all systems and associated logs to spot potential attacks and minimise risk.