Retail therapy

23 March 2020

Steven Kenny looks at the state of retail security and the measures that can be put in place to protect and support an industry under an increasing cyber threat

Cloud technologies have transformed the modern shopping experience for both retail organisations and customers. For customers, the digital transformation of the shopping experience has been empowering, enabling them to make transactions on the move at any time, day or night. For the retailer, cloud has enabled a 24/7 sales cycle, with the fusion of digital and physical through services such as ‘click and collect’. Cloud infrastructure enables levels of speed and accuracy not previously possible with legacy systems. 

Yet although today’s cloud infrastructures are geared up for a frictionless shopping experience, the data that changes hands to make this possible is proving an ever more attractive commodity to cyber criminals. Cyber attacks targeting both online retailers and physical stores are growing in number, with 19 significant data breaches reported in the last 12 months. This presents a huge problem for businesses and their customers, and demands urgent action. 

Damage to brand, reputation and the customer experience
With a retailer’s ability to operate being heavily reliant on the connectivity of the technologies they have deployed, any disruption to operations could cost the business significant amounts of money. The average cost of one minute of downtime due to a DDoS (Distributed Denial of Service) attack is now thought to be in the region of USD $22,000 with an average downtime of 54 minutes. 

In addition to the immediate disruption a breach can cause, the damage to the reputation of a business or brand can be lifelong. According to a recent study, 19% of consumers said they would stop shopping at a retailer in the event of a breach, and 33% said they would take a break from shopping with a retailer for an extended period. Even if a retailer is able to recover their assets and restore systems, regaining customer trust and repairing the brand could prove more costly.

Ensuring full compliance with the GDPR
With GDPR related fines from the ICO as much as €20m or 4% of an organisation’s global annual turnover, whichever is higher, the resulting combination of the cost of the breach itself, reputational erosion and crippling fines can be devastating. It is therefore essential that retailers are aware of the steps and procedures they should be following to ensure full data compliance and to guarantee the integrity of their IT infrastructure. 

Ensuring that everyone understands the security implications and knows how to respond effectively in the event of a breach is of the utmost importance. Internally, all teams and departments should have the confidence to raise the alert if a breach is suspected. Externally, companies should look to encourage conversations across the entire supply chain to ensure requirements are effectively met and security risks are adequately addressed.

It is a requirement of the GDPR that necessary measures be taken to guard against attack and to protect existing software and systems. Effective cybersecurity lifecycle management of IoT devices, such as network video surveillance cameras, is an example of a preventative strategy which should be put in place to help secure such devices and prevent them from being compromised. Mitigating risk and ultimately maintaining customer trust is only possible by establishing a truly secure retail solution, which can only be accomplished if security has been analysed at every stage.

The evolution of physical security
For protection of the physical retail environment, the move away from legacy security solutions such as traditional CCTV, which typically sat outside of a company’s IT operation, to the modern cloud-enabled security technologies we see today, allows retailers to unlock a wealth of business benefits previously impossible with analogue technologies. Today’s systems provide far greater accuracy of detection, vastly improved image quality, even in low light, and an array of business intelligence options to aid operations, such as people counting, queue monitoring and stock control. 

The ability to create live security alerts as well as forensic evidence for later analysis allows security teams to be proactive rather than reactive. In addition, the growing use of edge capabilities to process data within the cameras themselves negates the additional time and potential lag associated with continually passing surveillance information back and forward to servers, streamlining and therefore vastly improving operations. 

System vulnerabilities equals vulnerable data

Yet introducing physical technologies comes with its own risks. A user is potentially at the mercy of the companies they choose to work with and the technologies that these companies deploy across their business. It’s not inconceivable that the security companies tasked with protecting a retail business could become the cause of a cybersecurity breach, resulting in the subsequent loss of data, fines and damage to the brand. 

It is therefore imperative that any technologies installed offer high levels of security to keep people, assets and the brand safe and that vendors can offer guarantees as to their reliability. All connected devices represent possible points of entry for cyber criminals, and as regulators struggle to keep up with the explosion of IoT devices, retailers need to consider carefully who they choose to partner with to deliver their security solutions and services, and the integrity of these technologies.

Investing in secure systems for maximum protection 

In order to guard against the possibility of network cameras, or other connected IoT devices, being compromised it’s vital to ensure that these technologies are built from the ground up with cybersecurity considerations at the forefront. Unsecured systems which are not manufactured in accordance with these principles can easily be used as a backdoor to gain entrance to a business’s data.

Vendors that have been awarded Secure by Default accreditation, an accolade from the Surveillance Camera Commissioner (SCC), have the appropriate credentials to prove that their technologies are built in accordance with appropriate cybersecurity principles. Secure by Default provides assurance that a holistic approach has been taken to solving security problems at the root cause, rather than treating the symptoms; acting at scale to reduce the overall harm to a system. Secure by Default covers the long-term technical effort to establish that the right security primitives are built into software and hardware. 

In addition, Secured by Design, a stamp of approval from the Police Crime Prevention Initiative (PCPI), and Cyber Essentials Plus, a certification awarded by the National Cyber Security Centre, offer further evidence of a manufacturer’s security credentials and verification that its products and services are designed in accordance with current regulations and best practice. The success of the IoT and reliability of connected devices to offer dependable protection should not be hampered by weaknesses in physical systems.

Third party assurance

There is a long history of attacks that target third-party companies in order to access the first party’s data. Two of the largest retail data breaches were both the result of third-party attacks. Outages in relation to suppliers can cause major business interruptions with the hacking of just one shipping or transportation company potentially causing major logistics headaches, especially during peak shopping seasons. 

Retailers need to gain an accurate, continuous view of their third parties’ cybersecurity performance. It is crucial that third parties understand and acknowledge the associated risks, can demonstrate a mature cybersecurity approach with an understanding of relevant processes and tools, and are familiar with current regulations and legislation.

Effective supply chain management an on-going challenge
Forging and maintaining relationships with stakeholders is key to establishing a healthy supply chain built on mutual trust and respect. Only by following such an approach can the integrity of systems be fully guaranteed, with trusted vendors and installers working together to ensure that ethical practices are followed, and cybersecurity principles are adhered to. Due diligence should be carried out to make sure that all stakeholders involved in the manufacture, supply and installation of security software and systems understand the importance of keeping security best practice at the forefront of everything they do.

Effective security of networks, devices and ultimately premises, data and people require active participation from the entire supply chain, working together to educate and empower the retail organisation. Everyone needs to be onboard when it comes to developing a security strategy that delivers on all of the security requirements of the business, while ensuring the cybersecurity of software, systems and connected devices. 

Retailers must be able to rely on technologies that support their operational requirements and address associated risks, while at the same time, supporting IT security policies. The cybersecurity of IoT devices and implementation of high quality products and services are key to effective mitigation of the cybersecurity threat, delivering better protection of the business and customer and resulting in a smarter, safer world for all.

Download Axis’ whitepaper - Cyber security: the biggest threat to retail

Steven Kenny is industry liaison, architecture & engineering at Axis Communications. For more information, visit: