monsitj - Fotolia
Retailers need to invest more in cyber security with the number of retailers reporting data breaches to the Information Commissioner’s Office (ICO) having doubled in the past year, according to law firm RPC.
Breaches involving the loss of client data from hacking or leaking rose from 19 in 2015/16 to 38 in 2016/17, according to ICO figures.
The risks involved in data breaches are increasing in the retail industry, the law firm said, as retailers accumulate more personal information on their customers as part of their big data initiatives.
Data collected through online shopping, loyalty programmes and digital marketing is making even relatively small retailers a target for cyber criminals, according to RPC.
“Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” said Jeremy Drew, partner at RPC.
But as a result of the rising cost of wages, rates increases, exchange rate falls and the costs of keeping up with technology, a proper overhaul of cyber defences tends to be “put on the back burner”, he said.
Cyber security is a high priority for just 39% of directors or senior managers in the retail and wholesale sector, according to a July 2017 analysis of Gov.uk data from 1,500 firms by commercial property agency Savoy Stewart.
However, Drew said the regulatory burden and financial risks involved in a data breach will increase substantially after the deadline for compliance with the General Data Protection Regulation (GDPR) on 25 May 2018.
He predicts that the number of personal data breaches reported in the retail sector is likely to increase as reporting such breaches will become mandatory for the first time.
“As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained,” he said.
Read more about GDPR
- The GDPR is not only relevant to CISOs and DPOs, and has a massive impact on businesses.
- There is no time for businesses to delay in preparing for the GDPR, says the UK privacy watchdog.
- GDPR: One year to compliance and opportunity.
- Finding customer data is big hurdle to meeting GDPR right to erasure.
David Kennerley, director of threat research at security firm Webroot, said organisations have a “huge responsibility” to keep private information secure.
“The storage, transit and access of critical and sensitive data needs to be protected to the highest standards possible,” he said.
Kennerley said this means that all access to personal data needs held by retailers and other organisations needs to be monitored.
“The bad guys don’t stand still and neither should the security defences of organisations. Business practices and policies will need to be constantly reviewed as company processes and risks change,” he said.
Kennerley said retailers need to keep point of sale (PoS) software up to date, deploy threat protection and detection on these devices, and maintain the physical security of PoS systems.
“Where possible, two-factor authentication should be used internally and by their customers, while online transactions should always require customer to enter the CVV [security] number,” he said.
Retailers should encourage customers to use a unique password for every online account, and they should ensure customers are fully aware of the security threats that they may face, and what information the retailer will and will not ask for when they need to contact the customer.
“Guidance should also be given on how customers should access the retailer’s website and what security checks they should perform when logging on,” said Kennerley.
“Retailers need to make sure all data that they store and transmit is encrypted, that access is given only to those in the organisation who need it to perform their job, and that any third-party entities are maintaining the same high standards.
“Security cannot take a back seat with hackers stepping up their game and being successful in their attacks,” he said.
In July 2017, a Thales data security report revealed that more than 80% of retailers consider themselves vulnerable to data threats, and 37% said they are “very” or “extremely” vulnerable.
According to the report, 43% of retailers have experienced a data breach in the past year, and a third of those reported more than one breach.
As a result, nearly three-quarters of retailers expect their spending on IT security to increase, partly driven by increased regulation, such as the GDPR.