What Happens When a Growing Retailer Gets Breached? Assessing the True Costs of Cyber Attacks

It’s hard to ignore the news. Across industries, cyber attacks are increasing not only in volume and frequency, but also complexity. And to be sure, the biggest stories are always about the biggest brands — but for all the attention they get, they tend to recover relatively quickly. So let’s talk about the smaller retailers, because the data shows that they're getting hit by cyber criminals at levels on par with retail’s biggest names, in terms of both attack volume and sophistication.

Small and midsized retailers have seen a significant spike in cyber attacks, with the number increasing more than 130 percent since January 2020. Meanwhile, newer, more targeted and more damaging attacks are quickly becoming the standard, with the number of insider threats doubling over the course of 2021, and customized attacks expanding four times. Every business of every size is now a target, and thus it’s important to consider what happens when a growing retailer gets breached. Unfortunately, the true cost manifests in several ways.

Direct Monetary Loss

Online and brick-and-mortar retailers suffer downtime as a result of cyber attacks, leading to immediate monetary impact. Every minute a site is down or the cash register can’t process payments takes a financial toll. From a ransomware perspective, locking up data for ransom has two direct financial implications: the cost of the ransom itself, and the downtime associated with the lockup. Meanwhile, theft is also an issue, as stealing money is easier than stealing goods. Whether it's through phishing or account takeover, attackers divert funds from retailers to accounts they control.

Regulatory Penalties and Potential Legal Fees

From a regulatory standpoint, in cases where customer data is stolen, the breached retailer by law must inform its customers of the breach. This can lead to immense costs. For context, 300,000 online customers breached x $1 per notification adds up to quite a significant amount of money. Some jurisdictions will also impose a financial penalty in cases of customer data leakage. For example, California’s Consumer Privacy Act (CCPA) stipulates that the Attorney General can impose a $2,500-$7,500 fine for each violation. If there was an ongoing attack in which multiple data sets were stolen, it would lead to massive fines.

Retailers can also be sued after an attack that leads to data leakage. Legal fees and potential financial damages ruled in favor of plaintiffs can be devastatingly expensive.

Retention and Brand Reputation

And, of course, there are the customers. Customer retention is also impacted significantly after a successful cyber attack. Once a retailer notifies customers of a breach, previously loyal buyers may choose to shop with competitors, and overall customer willingness to use credit cards will decline. Both have massive financial implications for the retailer. Related to this is the reputational impact: once an attack is public, a retailer will face reputational damage, which, while difficult to directly measure, has a serious financial impact nonetheless.

That said, there are paths retailers can take to make sure growing businesses stay one step ahead of cyber criminals. Every retailer needs a clear cybersecurity strategy — and what worked last year may simply not be enough for the way the cyber world runs now. Email malware software alone is no longer sufficient, nor is any solution that doesn’t cover all potential attack entry points. It’s time for small and midsized retailers to make comprehensive cybersecurity top of mind and take advantage of the industry’s latest innovations in automation, artificial intelligence and machine learning to implement cyber protection tools that will make real protection both seamless and accessible.

Guy Moskowitz is the CEO of Coro, all-in-one cyber protection platform.