Hacker Spring offers urgent lessons

M&S and Co-op attacks offer urgent lessons for consumer-facing businesses says Jano Bermudes, co-founder and COO, CyXcel

Spring has been a season of alarm for retailers. In the space of just a few weeks, M&S, the Co-op and Harrods have all been hit by cyberattacks that have exposed the personal data of their customers.

The impacts have been significant. In the case of M&S, the company saw a whopping £700 million wiped off its market valuein the week following the attack as its share price fell almost 7%. The firm has also had to halt all online orders – a revenue stream that generates around £3.8 million per day.

Such has been the scale of the disruption, M&S is reportedly set to file an insurance claim of up to £100 million – a figure that would cover just a fraction of its total losses. It’s been suggested that the attack may cost as much as £300 million in profits, with disruption likely to continue through June and July.

Indeed, these three incidents will be a major concern to consumers across the UK. Co-op confirmed that a ‘significant’ amount of data from 20 million past and current Co-op members was compromised, while M&S says that some customers’ contact details, dates of birth and online order histories were stolen.

The increasing regularity of attacks may destabilise or change the normal pattern of shoppers in storing their credentials in online retail systems, disrupting the entire retail industry. Further, researchshows that 58% of customers consider brands that suffer data breaches to be untrustworthy, with seven in ten stating that they would stop shopping with any company that suffered a security incident.

Retailers are attractive targets for threat actors

The focus of hackers on major retailers is unlikely to subside anytime soon, with Dior, Victoria’s Secret and Adidas also having suffered breaches this year.

Retailers are particularly attractive targets for several reasons. Crucially, they handle large volumes of sensitive data that cybercriminals could use to create false accounts, forge documents and sell identities to criminal marketplaces. And that’s before we consider what threat actors will be able to do when deepfakes and AI-driven attack patterns become mainstream in the coming years.

Online retailers are transactional businesses that rely on the availability of their digital storefronts.  In addition, their reliance on complex supply chains makes them vulnerable to third-party breaches.

Building layered defences and enhancing third-party risk management

With such clear criminal incentives, it is perhaps no surprise that the number of high-profile incidents is ramping up. So, how can retailers respond to build resilience in the face of the same threats?

Crucially, firms need to focus on building layered defences that include everything from privilege management, anomaly detection, response, containment, and detection.  

This may require an increase in spend. Gartner recommends that companies allocate 1-2% of their revenue to cybersecurity – around 10-15% of the IT budget. However, most companies fall way short of this benchmark. I often see as little as 0.5% of revenue dedicated to IT, let alone cybersecurity.

With a greater budget, retailers will be able to enhance their capabilities in key areas, bolstering network, perimeter, endpoint, point of sale and access management security. Firms should also work to encrypt customer and payment data at rest and in transit, store only the minimum required personal data, build 24/7 monitoring capabilities, and run regular penetration testing programmes.

The focus shouldn’t just be internal either. Supply chain attacks are on the up, with Adidas having most recently suffered an attack in which criminals accessed its systems through a “third-party customer service provider”. Retailers therefore also need to enhance their third-party risk management practices, ensuring all corporate controls are pushed into the supply chain.

This is not as simple as it seems. Commercial contracts need upgrading before vendors will enhance their security levels.  Corporate controls may simply not be designed for cloud-basedsecurity and the huge variability in shadow IT supporting disparate components that retailers cobble together to create a compelling shopping experience.  There is a move from doing the security to watching and ensuring security through audits, monitoring and other means.  

Security investments can provide a clear competitive advantage

In the current threat landscape, such measures are crucial. Given the current spate of attacks, we can assume that increased regulation is not far behind.

From operational downtime leading to direct impacts on profit to reputational damages resulting in loss of customer trust in the longer term, those companies that do suffer from breaches can experience a range of incredibly damaging consequences that may be difficult to recover from.

Alternatively, those firms that do prioritise security best practices and demonstrate this to consumers will be well placed to build confidence.

In an era where data breaches against household retail names are becoming increasingly common, digital resilience is increasingly becoming a clear competitive advantage. The winners will be organisations that build their platforms secure from the ground up, that buy secure to ensure lower total cost of ownership in the long run.