With the transitions in and out of lockdowns, and the shift towards hybrid working, Australians are doing more online shopping from home than ever before. Whether to avoid panic buying, to remain isolated, or a casual online shopping scroll, e-commerce experienced a 41 per cent increase year on year.

E-commerce has become a focal point of Australia’s economy, and cybercriminals know it. Australia’s Digital Trust Report 2020 revealed a month-long cyber outage could cost the Australian economy $30 billion, with the retail sector and e-commerce being among the worst hit.

Thus, it is critical for retailers to develop strong cyber skills and implement cybersecurity best practices to combat opportunistic ransomware and phishing attacks.

With many retailers hiring young and inexperienced staff, it’s essential retailers evaluate their cybersecurity skills and understanding.

Identifying human risks and key behaviours

Some reports have found early work experiences help young people ‘learn to work’, because of this, retail leaders must ensure employees are equipped with the knowledge and skills to identify cyber-attacks or potential cyber risks.    

According to the Australian Cyber Security Centre, employees unaware of their organisation’s supply chain can pose an increased risk to poor security practices. With the transformation of retail supply chains occurring, due to the growing consumer demand of e-commerce, implementing cybersecurity training programs is more crucial than ever before.  

Surprisingly, many organisations miss the step in identifying the risks most important to them, which can be an indication of an immature security awareness program. The SANS Maturity Model Indicators Matrix defines compliance focused programs with the intention to meet specific audit requirements, with limited cyber training offered or as on an ad-hoc basis.

To ensure retailers are providing awareness programs that mitigate the correct cyber risks that humans introduce to their businesses, retailers should start with a risk assessment to define key tasks that involve humans and their IT or e-commerce infrastructure.

To effectively assess cyber risks, retailers should use data, like past cybersecurity incidents or breaches, cyber threat intelligence about the current landscape for their industry, and previous human errors that involved the businesses IT systems, to drive their decisions on knowing which risks to try and mitigate with their security awareness programs.

However, a common challenge faced with any type of risk assessment is a solid positioning around the basics. Retailers should be asking themselves: Who is handling their most sensitive data and how? Along with employees and suppliers undertaking data management surveys, retailers can identify the answers to those two questions and which methods may be the riskiest when handling data.   

This data can inform retailers’ HR teams of what types of security training to deploy. Additionally, risk assessment reports could mean retailers reassess who needs further training, and who doesn’t – ultimately reducing costs of unneeded training.

Implementing security training into staff development programs

Once retailers identify their cyber risks that involve human behaviour, it’s important to educate and empower employees to protect the business against cyber threats.

These are the four top lessons retailers should be focusing on within their security awareness programs:

  1. Social engineering – This type of cyberattack, along with business email compromise (BEC), is one of the most common methods used by cybercriminals. Organisations’ HR teams should be training their employees to identify and report phishing attacks.
  2. Limit access – In the unfortunate event of a breach, limiting the potential exposure to data or a business’ network can help reduce the potential risk to an organisation. This is done by restricting both the level or permissions a user has and the quantity of data they have access to. Standard users should not have any type of elevated permissions on a system and they should only be able to access the data they need to directly perform their role. Where access can’t be limited to sensitive data, actively monitor it with data loss prevention (DLP) systems.
  3. Strength Authentication – Not only is it important to have a strong password, but the use of multi-factor authentication further prevents a cybercriminal from accessing sensitive systems and data.
  4. Patching – Outdated systems and applications present vulnerabilities. It’s critical to regularly update systems and applications as they patch known vulnerabilities. Employees should enable automatic updates to ensure everyone is working on the most current operating system and applications.

Josh Lemon is a certified instructor at SANS Institute and managing director, digital forensics and incident response at Ankura.