Cyber security is a topic that is hot off the press, full of buzz words and catch phrases and often with a healthy dose of fear, uncertainty and doubt (or ‘FUD’, if you are acronym inclined) thrown in the mix. Often the broader cyber message fails to be tailored to the retail industry, or pragmatic to the way in which retailers operate. It can be heavy on technical detail, tends to tell us we are doing everything wrong, and quickly drills down on the details of malware and point of sale
vulnerabilities. These are valid concerns but the conversation needs to come up a level.
With everything and everyone connected to the ‘Internet of Things’; customers and employees engaging with us online and trusting us to look after them; and the ‘baddies’ inventing new ways of coming to get us, here is a simplifying of the cyber security message for retailers.
1. Cyber is real
Injecting fear is different to accepting reality. By now I would like to think that our heads are out of the sand and we have accepted that the risks presented by cyber are persistent and real. Not a day goes past without another breach making the news or a hacktivist campaign being announced, and they are just the ones that are publicised. The people behind these attacks do not discriminate on the basis of country, industry, wallet size or prominence of brand. If you are a user of technology and you have a connected network that includes access to the internet, then you are fair game. The sooner you adopt this mindset, the sooner you can work on mitigating the risk.
2. Ownership and collaboration is key
Accepting the risk is one part; you also need to own the solution. In retail, the traditional responsibility for IT security is all too often buried in the depths of IT with no one person being responsible. Yes, there is a technology angle to all of this, but the overall risk is broader than that. It is no longer a technical solution to a technical problem. IT security has become Information Risk and Security, and with that transition, so too shifts the risk.
The sooner the focus is lifted out of the depths of IT and shared between Enterprise Risk, Digital and Customer, Core Operations and Legal, in partnership with IT, then the sooner you can begin to have the right conversations about appropriately mitigating cyber risks and being prepared to respond.
3. You can’t defend without a strategy and a team
For many retailers, cyber has long been attached to a compliance driven program with an associated set of requirements, such as the Payment Card Industry Data Security Standard (PCI DSS). This means we tend to look at things cyclically, risks and remediation can be quite narrow and short sighted, and things can be missed. ‘Baddies’ don’t orchestrate attacks in cycles, so why do we mitigate the risk of an attack in a cycle?
An ongoing and well-planned compliance program contributes to a baseline level of maturity, but it is just one part of an overall strategy. In addressing Information Risk and Security holistically, you need to connect to enterprise risk (framework and appetite), business direction and strategy, quantify your current capabilities, and also try to look forward at the evolving threat landscape.
4. It will cost time and money, but what doesn’t?
Much the same as anything in business, the protection of information that is important to you, your employees and your customers, will require you to invest both time and money. In considering a holistic strategy that embeds cyber into your operating rhythm, don’t forget to include a realistic allocation of funding as part of the plan. I am often asked if I can calculate the return on investment for a well-planned and integrated cyber strategy when operating in retail, and answering such a question is fraught with danger – and vicious debate. As with any budget, basics apply. It must be realistic, forward thinking and balanced against a documented and validated risk appetite. One size does not fit all.
5. Being secure does not mean being boring
Ownership of the customer is a constant battle. The modern customer is inherently fickle and their expectations have grown tenfold during the digital revolution. The speed in which you innovate in the eyes of the customer can be a differentiator. Equally, the speed at which you can introduce efficiencies to your own operation to reduce your cost of selling can also be paramount to success. The traditional view is that security is not a natural partner to such agility and innovation. Times have changed. Once you accept cyber as a persistent business risk, invest in a strategy that connects cyber risk to enterprise risk and a framework that helps guide business decisions, you are well on the way to embedding a collaborative security mindset into your operations and planning.
Shane Bell is Director, Forensic & Cyber, at McGrathNicol.