Retail security is in the news again as the British Retail Consortium (BRC) report that crime in this sector has reached a 10 year high. This reporting appears to indicate crime accounts for almost 0.2% of the total sector turnover.
As reported by the BBC this includes the possibly obvious activities such as shoplifting, but also some more high tech twists as cyber crime and internet fraud are being included.
The summary of this is that crime, in general, presents a fairly significant risk for any retail business, even though the sector itself is quite large:
(source: BBC News)
Crime cost the UK retail industry £603m in the 2013-14 financial year, 18% higher than the previous 12 months, according to new research.
This is the highest level of crime in the retail sector reported since the BRC began keeping records in 2003. For some retailers, especially within the small – medium business sector, the losses incurred by criminal activities outweigh any other operating costs and for all assets stolen the business owner not only loses a sale, but must pay to replace the loss.
For most retailers, crime in this sector is assumed to be mostly shoplifting with jewellers and electronics stores also facing the risk of more obvious robberies.
However, the BRC report also shows that online activity presents a very significant issue for UK retailers and, combined with fraud, this criminal activity has more than made up for a reduction in the traditional methods: (Again, from the BBC News item, emphasis mine)
- customer theft made up the bulk of the criminal activity, accounting for 81% of all incidents
- retailers reported a total of 135,814 incidents of fraud, up 12% on the previous financial year
- there were five robberies per 100 stores in 2013-14, a 29% decrease but the cost per robbery fell only marginally, from £1,316 per incident in 2012-13 to £1,280 per incident in 2013-14
It seems that for every robbery or burglary, there are over 100 fraud cases, driven by online / cyber criminals attacking the business.
This is captured in the Report itself with the following bullet point:
Retailers reported that cyber attacks pose a critical threat to their business.
Retail sector and Cybercrime
It shouldn’t come as a surprise that, as more of the retail sector moves online, so do the criminals targeting this sector. The BRC British Retail Crime report contains this statement:
The majority of retailers reported an increase in cyber attacks in 2013-14 and that they pose a critical threat to their business. These ranged from Denial-of-Service attacks to data theft.
The benefits from being online are significant – from direct engagement with customers to rationalisation of supply chains – so there is genuine value for all retailers to have some sort of presence.
However, as with all business decisions, this needs to be done with a clear understanding of the security risks and what sensible measures should be taken to minimise them. No retail organisation would open a store in a new area without doing at least some research but it seems the rush to get online bypasses this common sense approach.
In 2013-2014, the biggest cyber risks to the retail sector came from online fraud – largely credit and debit card fraud, however the report also captures the growing trend in more asymmetric cyber attacks such as denial of service, data theft and ransomware.
Although no major UK retailer has hit the news, in the US cyber attacks in the retail sector have produced massive headlines with Target, Home Depot and many other large chains falling victim.
Unfortunately for most smaller organisations, the internet is a great equaliser. It gives retailers the opportunity to sell their products with the same impact as the big chains.
However this means you face the same risks as the big chains, so can you afford the same security?
Retail cyber security – key risks
- Cyber Fraud. Criminals will make fake orders, use fake payment cards and many more malicious tricks to get you to give them things for free. This can be harder to spot than real world fraud so you need to be on your guard.
- Customer data. If you collect customer information, such as name & home address, you need to make sure you properly protect it or you could be fined under the Data Protection Act 1998 (with up to £500,000 in fines for a breach).
- Credit / debit card data. If you process this yourself, you need to make sure it cant be breached and dont forget this is very, very high value information for hackers.
- Cyber vandals. Sometimes you will fall foul to “script kiddies” and other low-level miscreants. This is likely to lead to website defacements or denial of service attacks. Even though these seem trivial, they can become very costly to deal with and cause your business a lot of damage.
- Competitors. Still rare in the UK, but the internet gives greater scope, especially in more competitive retail markets, for hard to detect and hard to prosecute corporate espionage.
- Customers. Last but not least, there are always risks around what your customers do when they are on your websites or in your retail stores. For lots of businesses it makes sense to offer customers things like free WiFi access, but you need to make sure you have considered the implications – such as a customer using the free WiFi to commit criminal acts. In 2009, for example, a UK pub was fined £8k for allowing a customer to commit a copyright breach.
Retail cyber security – what to do
There is no magic bullet, one-size-fits-all, solution for cyber security, in the retail sector or elsewhere. If anyone claims they can provide this, it is likely to be a scam.
Cyber security is fundamentally the same as the rest of your security. It is about understanding the risks and taking the correct measures to minimise them.
Don’t be put off using the internet for your business. Yes, there are risks, but there are lots of benefits and lots of ways you can protect yourself.
Some things to consider include:
- Email filtering
- Patch management
- Proxy servers for all internet traffic
- Network filtering and acceptable use banners for guest/customer services
- Robust business continuity planning
- Encryption of all sensitive data
- Outsourcing payment card processing
- Good physical security
- Penetration testing for all online applications
No article or blog post is every going to compensate for detailed, specific, expert advice so please make sure you seek out a specialist to make sure what you are doing is sensible and effective.