Retailers increase cyber security spending, but attacks continue to rise

The UK’s biggest retailers are spending more than ever on cyber security but are continuing to see an alarming rise in cyber attacks and data breaches due to the ever-evolving threat landscape, a report has found.

According to The British Retail Consortium’s 2019 Retail Crime Survey, large organisations invested £162 million in cyber defences in the 2017­–18 financial year, an increase of 17% on 2017.

However, nearly 80% of respondents said the number of attacks and/or breaches grew in that time.

What are the biggest threats?

Retailers are vulnerable to a broad range of attacks because they process large volumes of customer data, including payment card information.

It therefore shouldn’t be a surprise that Trustwave’s 2018 Global Security Report found that the retail sector was the single biggest industry for cyber crime, with 17% of all attacks.

Almost all of those instances occurred in e-commerce environments, including web-server infrastructures dedicated to websites that process payment information and other personal details.

There was one surprise in the report’s findings: Trustwave discovered that crooks have been focusing less on stealing payment card data in favour of other forms of attack, such as ransomware and theft against website owners.

In some of the cases that Trustwave investigated, attackers breached a system that contained payment card information, but were content to simply plant malware and leave the data.

There are a couple reasons they might do this. First, they could be going after a big score, in which case financial information loses a lot of its appeal. Financial fraud is labour intensive, as account access needs to be converted into an asset and subsequently laundered – something that a crook would have the wherewithal to do a handful of times, but probably not hundreds or thousands of times.

Alternatively, crooks might be wary of stealing information because it could raise the alarm, which might reveal the malware.

Are retailers investing wisely?

It would be easy to conclude from the current state of cyber security in the retail sector that the extra cyber security spending was poorly invested. But that doesn’t reflect how hard it is to stay safe in the modern threat landscape.

The number of attacks increases every year, as crooks are lured by countless success stories of cyber crime, the low cost of investment to launch an attack and the infinitesimal prospect of being apprehended.

Meanwhile, organisations are transitioning ever more into digital systems and processes, creating a vast net of vulnerabilities that requires substantial investment to secure.

As such, a 17% increase in spending might sound like a lot, but it’s impossible to know whether that’s a fair reflection of the increased demand for cyber defences.

Even if you say that it is, it’s equally impossible to say whether the money was well spent. After all, cyber crime might continue to thrive because the new systems, processes or technologies don’t address the real problem, which could be anything from a lack of staff awareness to design flaws in system architecture.

On the other hand, an increase in attacks doesn’t necessarily correlate to the effectiveness of certain organisations’ defences at all; it just means they are a more popular target.

We’d be inclined to suggest that without the £162 million investment, retailers would have lost even more through cyber crime. In that regard, you can consider it money well spent, but investment must continue to increase if retailers want to turn the tide on cyber crime.

Where can you start?

The first step to cyber security is assessing your current situation and identifying your top priorities. You can be sure you’re doing that quickly and effectively with the help of our cyber resilience services.

Begin with our self-assessment, in which we ask you a series of questions about your organisation and identify the vulnerabilities that you must address. It takes only five minutes to complete, and you’ll get expert advice tailored to your organisation.

You can learn more about remedying your vulnerabilities by reading Managing Cyber Risk – Transform your security with cyber resilience. This free guide explains how cyber resilience works and how to implement the IT Governance Cyber Resilience Framework.