Is Your Retail Organization Ready for a Cyberattack?

Few retailers would admit that they're not prepared for a cyber security attack, yet their actions tell a different story.

As the march towards e-commerce continues, jumping 11.5 percent in 2017 alone, retailers are increasingly vulnerable to cyberattacks. According to a new survey conducted by The Risk Institute at The Ohio State University Fisher College of Business, 33 percent of participants rate their cybersecurity risk as “extremely high,” and a full 28 percent reported being an actual victim of a cyberattack.

Dedicated to uncovering a realistic assessment of the ever-changing climate of risk and helping companies prepare an effective defense, The Risk Institute conducted The Fourth Annual Survey (Spring 2018) to poll organizations on the specific challenges they face, and what's being done to address them. This year’s survey indicates that while investment in risk management has shown a steady increase over the past three years, the growth of the risk management function has been shrinking at about the same rate. It appears that firms recognize the need to invest in risk mitigation, especially cyber risk mitigation, yet fail to invest in qualified personnel.

Cyber security is an issue that should be of special interest to retailers as the shift to e-commerce continues unabated. Commensurate with this growth is the threat posed by cyber criminals, especially during the peak holiday season. The National Retail Federation has reported growth in holiday spending every year since 2009. Now approaching $140 billion annually, online sales present an enormous opportunity for hackers.

Aside from "traditional" attempts to gain access to consumer data, extortionist groups can also take down retail websites at peak traffic in an attempt to extract a ransom or order to restore functionality. Other emerging threats include "Pulse-Wave" attacks, which, unlike typical attacks that utilize a network of bots that take time to organize, leverage botnets that continually attack an ever-changing range of targets. Even climate change presents new opportunities for cyber thieves, with hurricanes serving as a backdrop for fraudulent claims of nondelivery at a time when retailers are especially sensitive about customer service.

So what can retailers do to prepare themselves? The Risk Institute’s research indicates that 60 percent of risk managers believe that artificial intelligence (AI) will play a key role in the future of risk mitigation. Algorithms inherent in AI are able to analyze trends in near real time, and can quickly identify outliers in increasingly large datasets. While AI offers unparalleled speed and scalability, it still must pair with human personnel capable of providing an accurate context in which it can most effectively operate.

Adding to the complexity is the emergence of cloud-based platforms. While certainly appropriate for any number of applications, organizations can (understandably) experience trepidation about trusting outside entities with their sensitive information. An increasing trend is for firms to outsource at least part of their risk function, and while it’s encouraging that firms are taking steps to mitigate risk, does outsourcing security introduce a new dimension of risk for retailers?

The number of appropriate paths of risk mitigation will be parallel to the number of firms that take it seriously. As the frequency and complexity of attacks continue to escalate, so must retailers’ efforts to mitigate them.

Are you ready?

Phil Renaud is the executive director of The Risk Institute, a risk research center located at the intersection of academia and application.