The wave of border restrictions and lockdowns that swept across Australia in 2020 led to a collective shift in the country’s shopping habits. Since the pandemic started, online shopping went from being a convenience to becoming a necessity almost overnight.

This shift in shopping habits resulted in a surge of well over $1 billion in total online retail sales revenue in the space of the few short months between January 2020 and May of that year, according to the Australian Bureau of Statistics (ABS).

Although the initial rapid rise of online retail spend by consumers has since levelled out, it remains dramatically higher than pre-COVID figures. The swift growth and continued popularity of online retail sales has been made possible by the rapid digitalisation of the sales process among retailers across the country.

When customers could no longer visit the four walls of a brick-and-mortar storefront in person, many retail businesses quickly established e-commerce channels. Now, two years after that initial switch to online sales, retailers continue to benefit from their e-commerce presence, with consumer behaviour looking to be forever changed by lockdown conditions.

The rapid wave of digitalisation throughout the retail industry has also provided small businesses with a low barrier to entry for commerce and access to a wider pool of customers; while creating various jobs across the ecosystem, from logistics and delivery to fulfilment specialists. 

Underpinning this e-commerce boom has been retail merchants’ willingness to implement innovative digital tools, ranging from new payment methods, to automated customer service solutions, as they look to maintain customer service standards in the digital marketplace. 

But this digitalisation has been a double-edged sword. Online retail platforms are attractive targets to cybercriminals. The retail trade sector made up 4 per cent of all cyber security incidents reported to the Australian Cyber Security Centre (ACSC) in the 2020-21 financial year, according to the federal government cyber agency’s Annual Cyber Threat Report for that period.

Moreover, small businesses across all sectors made a higher number of cybercrime reports than in the previous financial year, while medium-sized businesses had the highest average financial loss per cybercrime report in FY20-21, according to the ACSC.

From stealing credit card details directly to making illegal purchases, or putting up personal information for sale on the dark web, cybercriminals have many avenues to exploit potentially valuable data from retailers and their customers.

As the retail digital ecosystem continues to expand, businesses are likely to add more third parties into the purchasing ecosystem – from suppliers to vendors and service providers – which would inevitably expand the threat surface and provide cybercriminals with more avenues to exploit valuable data.

The multi-faceted threat landscape

The uptake of Internet of Things (IoT) devices across many parts of the supply chain has been a key enabler of the digitalisation of online retail. IoT solutions such as radio-frequency identification (RFID) technology are streamlining the customer journey and providing an integrated shopping experience, online and offline. But despite the convenience such solutions bring, business leaders have to acknowledge that IoT is a business necessity that introduces risk and opens up opportunities for cybercriminals to leverage IoT devices as entry points into the network.

In addition to IoT solutions, retailers are expanding their capabilities in Wi-Fi connectivity, interactive systems and next-generation point-of-sale (POS) systems to improve the customer experience. With these changes, the traditional network architecture will not be sufficient to keep these new technologies up and running. Businesses will have to explore new cybersecurity solutions to ensure a smooth digital transformation and guard against attacks launched by opportunistic attackers and hacktivists.

According to ReportCyber, the ACSC’s portal for cybercrime reporting, the average cost of a cyber attack on a small business in Australia is $9,000, while for medium-sized businesses, it is $33,000. In an extremely competitive space like the retail sector, such a hit can be extremely detrimental to a business.

Given the risks, it’s important for online retailers to strengthen their digital foundations. This will enable them to trade with greater confidence and gear up for post-pandemic growth.

Here are some key steps retail players can take to strengthen their cybersecurity posture:

Prioritise consumer safety and education

As noted by the federal government’s Department of Industry, Science, Energy and Resources, it is vital that Australian businesses keep customer information safe. To do this, it is recommended that businesses invest in and provide a secure online environment for transactions. It also recommended that they secure any personal customer information that they store.

At the same time, as businesses speed ahead in their digital transformation journeys, they will need to bridge the gap between digital consumption and digital literacy among consumers. Businesses should endeavour to guide customers towards becoming more vigilant and educate themselves on the latest iterations of e-commerce scam types.

Within Australia, high profile scams have targeted the vulnerabilities of the consumer. For example, cybercriminals have added ‘smishing’ into their arsenal of tools and exploited consumers’ trust in their bank provider to scam unsuspecting victims.

Build smarter IoT security

With more devices connected today than ever before, adversaries have more avenues to access and exploit sensitive business data. In an environment where cybercriminals are getting more creative by the day, retailers will need a security solution modelled after a prevention-first approach, rather than an “alert-only” one. By doing so, businesses can gain complete visibility of all connected devices and eliminate the risk of managed and unmanaged devices across retail stores, warehouses and distribution centres. 

Adopt the principle of “never trust, always verify”

The concept of Zero Trust continues to ring true more than ever today. Zero Trust is a strategic approach to cybersecurity that secures an organisation by eliminating implicit trust and continuously validating every stage of a digital interaction. Guided by this principle, businesses can establish rapid response capabilities to quickly address the early signs of a breach. 

This is especially crucial for online retailers since they work closely with many third party vendors in every stage of the journey, from payment vendors to delivery and fulfilment partners. With more parties involved, this inevitably expands the attack surface, providing more potential vulnerabilities for cybercriminals to exploit. Where third-party payment service providers are involved, retailers will need to ensure that every step of the consumer journey is secured and prevent potential breaches.

Setting up a Zero Trust architecture can mitigate these risks by ensuring continuous validation for digital interactions that happens across the supply chain. Retailers must no longer adopt an “Allow and Ignore” model where once an entity is authenticated, they’re free to do what they like. Users, services and devices inside the network or cloud must be constantly monitored for anomalous activities. 

Retail business leaders cannot ignore the importance of cybersecurity in the evolving threat landscape, with many millions of Australians relying on the sector for essentials and other items every day. Creating a safe environment for online shopping and digital transactions takes a collaborative effort from both e-commerce players and customers and all parties will have to act swiftly to safeguard what matters.

Alex Nehmy is director of industry 4.0 Asia Pacific for Palo Alto Networks.