Retailers have always been unique in the world of business. With slim margins, complex supply chains and rapid changes in customer interest driven by changes in seasons or a viral hit on social media, retailers are constantly adapting to different market conditions. Retail boards and executives need to be financial analysts, property speculators, geopolitical gurus, social-media experts, brand builders and, above all else, relentlessly customer-focused.
It is little surprise then, that the need for retail boards to be highly literate in technology and cyber-risk has been seen as just another challenge. The rapid pivot of retailers to digital channels has led to more customer data being collected, and in light of some of the high-profile data breaches in Australia in the last 12 months, boards are concerned about whether their cyber-risks are now being properly managed.
Unlike challenges in the past, however, cyber-risk and security have a habit of making those who haven’t been deeply involved in them as a profession feel a sense of unease or even fear. Retail boards and executives are required to oversee a complex organisation with multiple points of presence in both the real and online worlds, which rely on systems remaining secure and available to trade to protect brand, reputation and even a business’s ongoing existence.
There is good news though. Awareness of the need for a greater level of engagement in cyber-risk is becoming better understood each year. KPMG’s 2022 CEO Outlook Report shows that more CEOs are recognising that they’re underprepared for a cyber-attack – with 24 per cent saying so in 2022, compared with 13 per cent in 2021 – and no noticeable change in the number who say they are prepared (56 per cent). There were, however, nearly three-quarters (72 per cent) who said their organisation at least has a plan in place to deal with a ransomware attack, compared with 65 per cent in 2021.
However, what is often forgotten in discussions with cyber-risk is the upside. Done well, cyber-risk management can be a significant advantage for retailers. Not just through the avoidance of the costs and brand damage that come with an attack but also from the increased levels of trust and engagement that comes from an honest, open and clear discussion with your customers. Take loyalty or membership programs as an example.
Whilst it may be easy to sign customers up at the point of sale and keep them engaged from there, the ROI from setting up and running these programs can be turned on its head as soon as that trust is broken.
In KPMG’s Cyber Trust Insights 2022 global report, over one-third of organisations we surveyed already recognised that increased trust leads to better profitability, but nearly two-thirds said that cyber-security requirements are still shaped by compliance rather than long-term strategic ambitions.
In 2023, Australian retailers that truly understand the business advantage gained by ensuring their systems, suppliers and people are able to demonstrate how they manage cyber-risks is not only doing the right thing by their customers, but also for their bottom line.
Verizon’s 2022 Data Breach Investigations Report analysed more than 23,000 incidents and 5,200 confirmed breaches from all around the world. This report notes that of the 629 incidents and 241 breaches for retailers, social engineering attacks – such as phishing and pretexting – have been increasing consistently, year-on-year, from 7 per cent in 2016, to 13 per cent in 2018 and now to 29 per cent in 2021.
So what can retailers do? How should they respond to both the risks and the opportunities that exist?
1. Harness your greatest asset: your people
Retailers’ reliance on technology at almost every single point across a long and time-critical supply chain can’t be ignored. The retail technology landscape is one of complexity in terms of systems, suppliers, locations and, critically, people. It can’t be monitored 100 per cent of the time for 100 per cent of the cyber-risks. Whilst the incident and breach
numbers for retailers supports the common view that employees are the weakest link in any organisational security program, the reality is that they can also be its greatest asset.
Workforces – both yours as a retailer and those of your suppliers and third parties – can act as the first line of defence in blunting social engineering attacks, if they are well educated in cyber-security risks. Activities ranging from training campaigns to phishing and crisis simulations are examples of reliable, well-established ways to help build awareness of cyber-risk. Emerging options such as user behaviour analysis through integrated API analytics and dedicated cyber escape rooms are particularly worthy of consideration for retailers whose employees are often highly geographically dispersed in clustered groups with a high percentage of casual workers.
2. Learn from the (recent) past
Recent history has highlighted for all Australians just how real the threat is of a successful cyber-attack. Then, once the investigations are done and the causes identified, the importance of getting your core cyber-controls in place and making sure they’re working is yet again reinforced.
These core controls are things like: making sure vulnerabilities in your systems are identified and then quickly patched; implementing multi-factor authentication;
decommissioning old systems and rationalising duplicated functionality; making sure APIs are hardened and secure; taking backups of critical data and systems then testing them as part of regular resilience recovery exercises; and having the right tools in place to detect and alert you to any unusual or suspicious activity.
Critically, for retailers, this includes also asking questions and seeking assurance from your suppliers and supply-chain partners that they must do the same. In the high-volume and multi-vendor world of retail, it may seem that high levels of supply redundancy are available but dig a bit deeper and you’ll often find that what seemed like a wide field of suppliers are all relying on the same fourth- or fifth-party supplier somewhere down the line.
Finally, testing that the controls you and your suppliers are relying on are designed and operating effectively is essential. The hard lessons about missing or incomplete controls learned by organisations that have been compromised cannot be ignored.
3. When something does go wrong, know whom to call
Knowing whom to contact is crucial when responding to a cyber-incident. Swift, clear actions and communication enable you to protect what you can and not allow further harm. Not only that but, crucially, in retail, where stickiness of customers is so important, holding on to as much goodwill as you can in the very worst of times is vital.
Preparing your own teams, from the board down, to know how to respond and communicate with your customers, your regulators and governments, third party suppliers and the media in a crisis is make-or-break leadership. Getting ahead of the game allows you to be more proactive and methodical in your response, leading to clearer thinking and decision-making. It also gives you an opportunity to show your customers how, even in the worst of times, you respect them and that you will work to repay their trust in you right from the very beginning.
Along with the mock exercises that can help prepare you for these situations, there are also a growing number of helplines to call for support and guidance in a crisis; for example, KPMG’s own Cyber Incident Hotline (1800 316 767) received a significant increase in requests over the last 12 months, as have others, such as IDCARE in Australia. Help is at hand, and more so now than ever before.
The bottom line for Australian retailers in 2023 is that while the threats posed by a cyber-attack are showing no signs of slowing down, preventing and being ready to respond to one need not be as much of a daunting prospect in the future as it has been in the past, if you prepare for it in the right way, right now.
This article was originally published in the 2023 Australian Retail Outlook, powered by KPMG. Download here.
