Cyber-security threats are real and rising, and Australia’s retail sector is a prime target.

Maintaining effective cyber-security defences has become a strategic challenge for retailers of all shapes and sizes, from family-owned outfits to listed chains.

Australia’s 187,000 retail businesses enjoy collective revenue of $571 billion and employ a workforce of almost two million people, according to Ibisworld research.

Digitisation is widespread across the sector and major system outages can cause significant disruption and economic damage. In addition, many brands and outlets collect and store customers’ personal data for marketing purposes and safeguarding these records is, or should be, a key imperative in today’s privacy conscious times.

Mitigating these cyber-risks effectively calls for a top-down approach, with buy-in and support from senior managers and executives from across the enterprise.

Scoping out the challenge

The past two decades have seen information technology undergo an extreme transformation. Once synonymous with processing power in the data centre, it’s now engrained in almost every aspect of daily life, at home and at work. That’s resulted in a change to the threat landscape. 

Once a rarity, cyber-security incidents are now unremarkable and managing the risks associated with them has become part and parcel of running a retail operation, rather than merely an issue for the tech team.

For many retailers and brands, the challenges of implementing effective cyber-security practices are exacerbated by the legacy solutions that are still in use – ageing equipment and core infrastructure that can be difficult to patch and protect.

Getting the board on board

Unfortunately, executive-level discussion about cyber risks in many retail organisations tends to revolve around fear. Attention is typically focused on the dire implications of an attack and the fallout it could cause.

Often, security professionals will present alarming data about the rates of attack and the extent of potential damage. Their overriding message is that, if everything is not fixed quickly, the organisation could find itself in real trouble.

A more constructive focus would be on how, beyond reducing the threat level, becoming proactive about cyber-security can benefit a retailer more broadly, by bolstering its reputation for customer care. 

In today’s highly competitive retail landscape, shoppers are spoilt for choice in most categories and customer experience can be a deciding factor for individuals contemplating whether, when and where to spend their dollars. Against this backdrop, being perceived as an enterprise which is respectful of customers’ privacy and assiduous in its efforts to protect it, can be a source of competitive advantage for a retailer or brand.

Retailers also need to consider cyber risk from a legal perspective. In common with other businesses and organisations, they need to comply with the Australian Privacy Principles laid down by the Office of the Australian Information Commissioner. 

Australian retailers and brands that market their wares to customers from EU countries are also subject to that bloc’s stringent GDPR regulations, which extend to all organisations that collect and store the personal data of EU citizens, regardless of geographic location.

Retailers also have a duty to manage the level of cyber risk faced by their enterprises, and should keep the reasonableness test front of mind when assessing their planned level of action. 

This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago. Decision makers need to ensure their responses are evolving over time and commensurate with current threat levels.

A problem for the institution, not the IT department

Viewing cyber security as a technology problem, rather than a governance problem, is a mistake. Retailers which take that approach and postulate that the purchase of another new piece of technology will solve the problem, perpetrating the myth that it’s possible to buy your way to safety.

And a myth it is. While products are clearly an essential piece of the security puzzle, it’s vital organisations develop much broader strategies to deal with rising threat levels. 

Creating a multi-disciplinary team comprising representatives from across the enterprise is the best way to ensure all aspects of cyber risk are assessed and each division or business unit is aware of its role, both in mitigation and response, should an incident occur.

Time to act

The risk to retailers posed by hackers and cyber-criminals is real and rising. Threats are becoming increasingly targeted and sophisticated, according to advice released by the Australian Cyber Security Centre in 2019. Business leaders surveyed for PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report flagged cyber-crime as the most disruptive economic crime of our era.

Taking an enterprise-wide approach to cyber-security, led by senior managers and executives, will help mitigate the risk for local brands and retailers prepared to put the issue squarely on the counter in the boardroom, as well as in the IT shop.

By Phil Kernick, Co-Founder and Chief Technology Officer at CQR Consulting

For the latest retail industry news and insights straight to your mailbox sign up to RetailBiz’ weekly newsletter. If you have any news or feature tips or know a retail who would make a good retail profile please email Georgia Clark at