E-Commerce Growth Intensifies Cyber Threats: Are Retailers Compliance-Ready?

The impressive recent growth trajectory we've seen in the e-commerce market continues to move up and to the right. According to Statista, the global e-commerce market is projected to maintain an annual growth rate of 9.49 percent in the coming years, with 3.6 billion purchases expected to account for $6.48 trillion come 2029.

Unfortunately, this explosion in online activity comes with several challenges. Indeed, as e-commerce grows, so do the efforts of cyber attackers seeking to capitalize on expanding opportunities.

Retail companies are particularly vulnerable to such threats given their extensive customer and transaction data and increasingly digital operations, with several recent incidents underscoring the seriousness of the threat.

Just last year, Ace Hardware suffered a severe cyberattack that compromised 196 company servers and over 1,000 devices, causing widespread disruptions across its 5,600 stores worldwide. The attack not only delayed shipments and deliveries but also impeded the company's ability to process online orders, significantly affecting its operations.

Then, in late 2023, VF Corporation — the parent company of brands like Timberland, Dickies, The North Face, and Vans — also suffered a cyberattack that disrupted operations and hindered order fulfilment. Here, investigations revealed that the personally identifiable information (PII) of approximately 35 million individuals was compromised, with the effects of the attack still continuing to be felt over a month later.

Such headlines highlight the urgent need for retailers to adopt more rigorous security measures to protect themselves and satisfy their customers.

Interestingly, a recent survey revealed customer demand for robust security and compliance as a significant motivator behind increased investment in security measures among retailers, cited by 43 percent. However, many firms have struggled to meet the necessary standards despite this.

Critically, the same report indicates that roughly one-third of retailers view compliance with regulations and industry standards as their biggest information security challenge, despite nearly 43 percent boosting their compliance-related investments by up to 25 percent.

The Challenge of Evolving Compliance Demands

This is no coincidence. As the cyber threats facing retailers continue to ramp up, so do the requirements associated with security compliance regulations.

Take the Payment Card Industry Data Security Standard (PCI DSS) as an example. Retailers that accept major credit cards or process electronic payments must adhere to PCI DSS, a set of technical and policy controls designed to protect sensitive cardholder information and transaction data.

In recent times, these compliance requirements have tightened. Specifically, the standards transitioned from version 3.2.1 to version 4.0 in March 2022, with full compliance required by March 2025. This update emphasizes continuous security and improved payment validation, with some of the key changes including:

• Enhanced emphasis on security as an ongoing process.
• Multifactor authentication and zero-trust architecture requirements for service providers.
• Updated software development requirements, including secure coding practices, automated vulnerability scanning and penetration testing.
• Stricter password management rules, including using passphrases and banning specific weak passwords.
• Promotion of systematic and effective encryption, including support for quantum-safe cryptography.

Looking at PCI DSS, it's clear to see why many retailers view compliance with regulations and industry standards as the biggest information security challenge. Indeed, increasingly strict controls are putting pressure on firms, demanding more time and preparation to ensure compliance.

Making the Most of Your Investments With ISO 27001

Despite the difficulties retailers face, the survey also shows that compliance investments do pay dividends. Critically, one-third of retailers note that the best information security-related return on investment they have achieved in the past 12 months is related to compliance investments.

The need for compliance is clear, as is its value. So, what concrete steps can retailers take to ensure their compliance investments are effective and not wasted?

Retailers should look towards the ISO 27001 framework for guidance in systematically enhancing their security management practices.

ISO 27001 offers a structured approach to protecting information assets. By following this pathway, retailers will be well positioned to more effectively address customer demands for robust security and compliance, safeguard their reputation, protect customer data, and effectively counter new cyber threats.

Today, this must take priority. Indeed, cybersecurity isn't a cost or technological issue, but a cornerstone of any successful modern retail strategy.

Retailers must implement robust security controls, achieve standards like ISO 27001, and adopt an integrated approach to compliance. Furthermore, cyber resilience should be an ongoing process, not a one-time project. As threats and regulations evolve, so must defenses.

By prioritizing information security in boardroom discussions and allocating adequate resources, retailers can enhance security, build trust, and mitigate significant financial, reputational and legal risks.

Sam Peters is the chief product officer at ISMS.online, an auditor-approved compliance platform.