The digitalisation of retail has fostered tremendous potential, but simultaneously catapulted the scope for cyber-attacks against retailers to new heights.

E-commerce boomed on the back of pandemic lockdowns, and start-ups are raising millions to bring new solutions to market. Between systems, apps and data powering supply chains, warehouses, online stores and even physical shops, there are countless opportunities for breaches – whether it’s to hold companies to ransom, steal and on-sell private information, or simply cripple brands.

It wasn’t long ago courier Toll was forced to shut down parts of its operations after two substantial cyber-attacks. It was a high-profile breach – perhaps the most heavily reported since the likes of Target and Marriott, which had the data of 70 and 500 million customers, respectively, impacted.

Strong security policies have subsequently become critical for every retail operation, from the moment of manufacture right through to the purchase and consumption of goods and services. It’s as crucial as the products retailers sell to stay open.

However, many retailers operate with the notion that simply patching and running regular updates for their business-critical systems is enough to keep hackers away.

Worse yet, they’re often cornered by technology suppliers who sell software and services as silver bullets, with an underlying ultimatum – ‘pay for these patches and upgrades every few months or you’ll be exposed to vulnerabilities that will hurt your bottom line and reputation’.

Beyond trapping retailers, this perspective neglects the reality that enterprise software vendors typically aren’t security companies. They might provide best-in-market enterprise resource planning (ERP) platforms, supply chain systems, warehouse management tools and much more, but they aren’t cyber security specialists capable of ensuring a proactive defence.

It also ignores just how much time it takes to test and apply a patch – often more than six months – dragging retailers through a laborious process that only needs to be repeated as soon as it’s finished.

The fact is software patches are complex and even when applied tend to be limited in scope as they generally tackle only the issue that was discovered in the wild, rather than a security weakness as a whole.

Retailers should be free to focus on producing great products while enhancing customer experiences. Unfortunately, many are left to deal with endless and expensive merry-go-rounds as they pay vendors to install disruptive patches dressed up as security strategies.

Looking beyond the packaging

Although fixing vulnerabilities and functional issues is important, it’s critical retailers move past the notion that paying for every new patch their technology suppliers provide is the same as maintaining strong cybersecurity defence.

Security is better left to experts who can safeguard retailers with cybersecurity platforms and firewalls to help minimise risk. These are the parties which can ensure modern and cost-effective security tactics – spanning database protection, and protection for applications – that reduce downtime and business disruption.

They can also maintain regular penetration testing; rather than waiting for a software vendor to highlight a long-undiscovered vulnerability, penetration testing regularly tests the defence for holes across all digital investments that retailers and their supply chains rely on to operate efficiently.

This means bugs and vulnerabilities are addressed at the source and on time, rather than leaving retailers on a gamble while a supplier whips up a patch, tests it, and finally makes it available. The added benefit is that retailers’ IT teams are freed up to work on high-value projects which help drive competitive advantage, new services and personalisation of customer experience, rather than being bogged down by maintenance.

Ultimately it comes down to the fact vendors of software platforms provide exceptional tools, but it takes more to establish a cyber defence – particularly given the ineffectiveness of the patches when compared with the reliability and performance of specialist security offerings.

Daniel Benad is group vice president and regional general manager for Australia and New Zealand & Oceania at Rimini Street.