Since the start of 2023, cybersecurity and data privacy have remained top of the news agenda across Australia.
The impact of significant data breaches and cyber incidents has spread far beyond the realm of IT security experts and is now on most business leaders’ and consumers’ minds.
To date, cybersecurity has not been a major consideration for most retailers even though retail is listed amongst Australia’s critical infrastructure. What that means is that if access to food and groceries was destroyed or rendered unavailable for an extended period, the social or economic wellbeing of the nation would be significantly impacted.
There are many reasons why, historically, cyber security has not been a priority for retailers and the recent rise in awareness around protection was needed. But it has also brought with it a lot of misunderstandings and misinformation for retailers who are beginning to re-evaluate their cyber security measures.
- Attacks are not always financially motivated
Four in ten (44%) organisations across critical industries reported an increase in the volume, severity or scope of cyberattacks last year.
What makes an attack on critical infrastructure and essential services unique is that it is not always financially motivated. Malicious actors often want to significantly damage things or cause physical harm to people. An attack on certain elements of the retail sector has the potential to disrupt essential functions across other critical sectors, resulting in the breakdown of society.
2. It’s not always about data privacy
Many retailers don’t collect personal data, therefore believe they are at limited risk of a breach. But cyber-attacks are not always about exposing personal data.
Consider the value of a retail company’s operational data.
If a criminal actor wanted to significantly disrupt a retailer’s ability to trade effectively, they would target vital operational data, such as the stocking system. These types of ‘soft targets’ can have a damaging impact, from stock manipulation to revenue loss. An extensive period of trading instability caused by compromised operational data could even affect the company’s stock price.
3. Digital shopping experiences are driven by data
Less than ten years ago, retailers could still take cash or credit card if payment systems shut down. However, the recent explosion of digital platforms and reliance on data to drive them is reason enough to shift retailers’ attitudes towards cybersecurity.
For example, customers expect ease of engagement when they buy goods online. If a retailer’s Know Your Customer (KYC) platform becomes compromised by criminal actors, customers will experience friction at the point of sale and go elsewhere to make their purchase. However, if the data underpinning the platform becomes inaccessible or manipulated for an extended period, the results could significantly impact brand reputation, customer loyalty and the bottom line.
Data security is just that… ‘data security’
While cybersecurity is used as an all-encompassing term to cover anything in a computing environment, data security requires a very specific approach.
We distinguish the two because a) accessing data is often the principal reason for attack and b) the concept of trying to defend every potentially exploitable asset in a computing environment to prevent serious data incidents is a fallacy.
Many are driven by the belief that if security best practices around user access, connected devices, software and networks have been deployed then the data is safe. Common practices such as penetration testing and cyber awareness training are also often thought to represent extra safeguards to protect the organisation’s environment.
However, by not enforcing confidentiality and integrity on the data itself, and instead relying on everything else in the organisation being secure, then the data is not secure.
Treat your data like your dollars
It takes only one material error in the edge security environment or a small human oversight to open the door to a skilled attacker. Without security, data can easily be breached or stolen, often costing organisations a hundred times more than what it would have cost to secure the actual data itself.
Consider your organisation has a million dollars in physical cash. There’s no way you would simply store it on a shelf in the office and rely on an alarm on the building, strong front doors, and a guard at the front desk for security. The organisation would protect the cash itself by locking it in a very secure safe. What’s more keys or codes would only be shared with those who need access, the safe would be protected by a robust alarm system, and it would be monitored 24/7 by a response service that would react in seconds if the alarm went off.
Security fit for a critical industry
Securing retail data may seem like a huge and expensive challenge. They key is to focus time and resources securing sensitive data, operational data and data that impacts compliance obligations using three simple controls:
- Make it safe by hiding it in plain sight -apply encryption, tokenisation, masking, or anonymisation to ensure sensitive information is not visible to unauthorised users or processes. If the data cannot be easily viewed, it is less at risk. In addition, if the data is inherently hidden, it can be easily moved, replicated, or backed-up, without being put at risk of disclosure – either deliberate or accidental.
- Control who or what can access the data – ensure only authorised people or processes have access to the keys that unlock the safe. While they may be authorised to access the room containing the safe, it does not automatically give them the right to access the cash. If data access control is correctly enforced, it will not only prevent sensitive data from being stolen or accidentally disclosed, but it will also prevent data from being tampered with.
- Proactively alert when the data itself is threatened – if an unauthorised person or process tries to read or write to the data, good data security will stop it. Without integrating threat response, data security may only delay the attack. Once alerted, a quick response needs to be triggered.
The growth and success of a business today relies as much on good data security as on safeguarding its cash flow. Increasing protection levels will not only mitigate costly breaches, but also future proof the retail industry against the inevitable introduction of stronger cybersecurity regulatory obligations.
Brian Grant is regional director of Australia and New Zealand at Thales Cloud Security.