Christmas and Thanksgiving are times for both joy and vulnerability among retailers. The sales frenzy on the weekend of Black Friday and Cyber Monday – which follows Thanksgiving in the USA – and the rush before Christmas provide a much needed boost to a highly pressured sector. 

But while the checkouts are ringing (or clicking), the retail sector is also prone to a surge in cyber warfare. Customers are usually at their least cyber aware when they are desperate to secure a bargain, so clicking on that malicious link becomes so much more likely. 

At the same time, the intense rush to hit period sales targets can distract retailers themselves from good cyber hygiene, and timely incident response. Adversaries have written (or more likely procured) the required malware/code and are ready to act.

One year ago I wrote about the poorly state of cybersecurity in the retail sector. At the time, retailers displayed less good practice in cybersecurity than any other sector, according to our Risk:Value research. Retailers spent two percentage points less of their IT budget on cybersecurity, compared to the average business. Just 48% of retailers had a formal cybersecurity policy in place.

We repeated the research this year. The good news – if you can call it that – is that good practice has increased slightly in the retail sector, and retail is no longer the weakest sector. Spend is still two percentage points behind the average, but adoption of cybersecurity policies is over the half-way mark.

There is still a long way to go. Retail has the third highest number of serious vulnerabilities of any sector, according to analysis conducted for the WhiteHat Security 2019 Stats Report. That is a per-site calculation – and of course retailers have many sites.  

There appears to be a talent acquisition issue too. We investigated the workplace cybersecurity attitudes and behaviors of those under 30 years of age in a report we published in October. This found that the leading under 30s in cybersecurity are most likely to work for professional services, technology and finance companies. The retail and wholesale sectors are found in the bottom three sectors. This needs to be fixed – fast. A business will struggle to create and enforce the required cybersecurity culture across its organization without the right people to drive it. 

Furthermore, analysis in our Global Threat Intelligence Report 2019 shows that retail is hit by 6% of all attacks, and this will spike as we move into this critical part of the retail sales cycle.

In some respects, retail is no different to other sectors, driving efficiencies, digital transformation and innovation. These themes are discussed in Future Disrupted, our look at trends that will face businesses in 2020. 

But execution of cyber defense needs to improve.

Policy development, application security and preparations for incident response must be major focuses. Retailers must understand their risk profile and how it is evolving. A risk assessment service can help with this. And they must focus on people: from their own cybersecurity teams to external advisors, through developing an organization-wide culture that employees buy in to, to helping their customers avoid falling victim to the next holiday season-themed threat. 

Retailers must take advantage of their most prosperous time of year while simultaneously mitigating and managing the risks they face.