Illustration by Sébastien Thibault.
“This is not out of a movie. This is real,” says Daniel Tobok, CEO of Cytelligence Inc., a cybersecurity firm based in Toronto. “And it’s important to keep in mind that these are no longer a bunch of pimple-faced teenagers sitting in mommy and daddy’s basement, eating Cheetos and drinking Coke and doing this for fun.”
In fact, professional organized crime rings are behind most cyberattacks today, says Tobok. “That’s what makes it so dangerous because they are so well prepared, funded and controlled. And a lot of organizations don’t understand what they’re dealing with.”
Retailers, in particular, need to be cautious: the retail industry is now the top target for cyber criminals. According to the “2018 Trustwave Global Security Report,” the North American retail sector suffered the most breach incidences of any industry in 2017 (16.7%), followed by the finance and insurance industry (13.1%) and hospitality (11.9%).
From an attacker’s point of view, retailers are enticing because they hold vast amounts of valuable customer data—be it credit card information, loyalty program data or personal information. “This is very juicy for the threat actors because they can leverage this information to either attack those particular people or sell that information on the dark web for profit,” says Tobok. “So they’re able to monetize it fairly quickly.”
For businesses, the ramifications of a sophisticated attack can be far-reaching. First, there’s the financial cost. Cybersecurity Ventures predicts that globally, ransomware damages will cost businesses US$11.5 billion in 2019, up from US$325 million in 2015. The costs include not just the ransom amount, but damage or loss of data, downtime, lost productivity and employee training.
The cost of data breaches is also climbing. The “2018 Cost of A Data Breach” report by IBM and Ponemon Institute says the global average cost of a data breach hit US$3.86 million in 2017, a 6.4% increase versus the previous year.
Then, there’s the risk of reputational damage and loss of consumer trust, which also comes at a cost. “If a consumer was to steer away from that particular retailer for a period of time, there is an acquisition cost that would be required to get that consumer back,” says Marc MacKinnon, leader of Deloitte Canada’s cyber strategy practice and partner in the firm’s risk advisory practice.
Richard Levick, chairman and CEO of Washington-based PR firm Levick, sees an even greater risk emerging for grocery retailers: the health and safety of consumers. For example, as more companies are implementing “smart” devices, a ransomware attack could disturb a grocer’s refrigeration or inventory system. “If you lose control of inventory, or don’t know what the real temperature is of dairy products or other fragile goods, suddenly it becomes a health and safety issue,” says Levick.
Experts agree it’s not a matter of if a cyberattack will happen, but when. “It’s definitely going to happen to you,” Levick cautions grocery retailers. “In fact, 100% of people who run companies can expect to be breached ... The criminals are always ahead of the good guys. And no one is fully prepared.”
While it’s impossible to be 100% secure, there are steps grocery retailers can take to mitigate risk and reduce the impact of a cyberattack.
DEVOTE MORE RESOURCES TO CYBERSECURITY“Retailers are often forced to do more with less, and security or IT teams may not be given enough budget to deal with cyber threats,” says David Greenham, senior manager, risk, performance and technology advisory services at Montreal-based Richter Advisory Group. “As a result, their teams may be more reactive than proactive.”
By dedicating more resources to cybersecurity, not only can retailers potentially fend off attacks, they can drive business results. In a recent global survey by Capgemini, 77% of respondents ranked cybersecurity as the third-most important factor when selecting a primary retailer. The report suggests retailers that adopt advanced cybersecurity measures could drive a 5.4% uplift in annual revenue.
“The traditional perspective that cybersecurity and data protection is an overhead cost needs to change,” the Capgemini report states. On the contrary, “it is an effective means to gain competitive advantage for retailers since it plays an important role in consumers’ minds when they choose their retailers. Cybersecurity and data protection also drives satisfaction and wins consumers’ trust. As a result, it can make a positive impact on top-line revenue for retailers.”
BUILD BASIC SECURITY HYGIENEFrom an IT perspective, companies should start by building basic security hygiene, which involves knowing what your critical assets are and where they are, says Richter’s Greenham. Then, organizations need to understand what the biggest threats and risks are to those assets, and put in security controls to mitigate those risks.
To help thwart ransomware attacks, for example, Greenham says organizations need to update their systems with the latest security patches and frequently back up their data, so that if their data is held ransom, they can restore from backup.
Since grocery retailers have limited budgets, Deloitte’s MacKinnon says they need to make the best use of their resources by developing risk-prioritized controls. “The way you do that is look at your ‘crown jewels.’ What is the most sensitive data to the organization that requires protection? And how do we make sure we have the layered controls around that, so if there was an incident, it’s not going to be against the crown jewels?”
Organizations also need to be cyber vigilant, which means having early warning systems and good monitoring mechanisms in place so they can detect threats, adds MacKinnon. “It’s about making sure you have situational awareness and
using intelligence wisely to be able to predict attacks.
Tobok’s advice is “encrypt, encrypt, encrypt,” as he believes another reason the retail industry is under attack is that most retailers don’t encrypt their data. “For the bad guys, this is like shooting fish in a barrel,” he says. “You’ve got to start moving to a network of encrypted data because then it’s useless for It’s a true deterrent.”
EDUCATE EMPLOYEES
The human factor is paramount to cybersecurity, as employees often get tricked into clicking on malicious files, or have weak passwords that open the door for attacks. “People are the weakest link in the security chain,” says Greenham. “A lack of security awareness in employees can have a huge impact; for example, in the case of phishing or ransomware.”
Security awareness training for employees is a must, and should cover how to identify suspicious emails and who to notify if they suspect a security incident has occurred. In addition, says Greenham, “educate employees on good password practices, like creating strong passwords, not reusing their passwords across multiple online services, and especially don’t use their corporate password on those services.”
Tobok adds that employees don’t have to become military-grade IT gurus when it comes to security awareness training. “They just need to understand that this can happen and how, and how to report it when they have a problem,” he says. “That will alleviate a lot of problems.”
DEVELOP AN INCIDENCE RESPONSE PLAN
In the event a cyberattack does occur, it’s important to have a well-documented and tested incidence response plan so employees know what to do. “That way, people aren’t scrambling when it comes time to respond to a potential breach,” says Greenham. “They’re on top of what needs to be done. The quicker an event can be responded to, the less impact that event can have.”
From a communications standpoint, PR expert Levick says it’s what companies do before a crisis that matters most. “Specifically for grocers, you have to have an incidence response plan that you communicate with your employees, and that covers the concerns of your customers in the event of a cyberattack,” he says.
When developing a plan, Levick suggests having things like signs printed up, in advance, for the store’s doors alerting shoppers should a cyberattack prevent the cash registers from working. In addi- tion, consider having staff members who can greet customers as they enter the store and communicate what’s happened. “It could be ‘sorry, we’re the vic- tim of a cyberattack. Everything is normal except you have to pay with cash.’ Or ‘since we can no lon- ger be certain of the integrity of our dairy products, we removed them from the shelves,’” says Levick.
“Whatever the issue is, you have to have planned that in advance ... People will judge you by how well you recover and the only way to recover well is to prepare.”
This article appeared in Canadian Grocer’s August 2018 issue.