Lights and Technology
11 May 2023

How Retail Trade Should Prepare for Cyber Threats

Investing in Processes, Training, and Collaboration for Organizational Security

By José Pereira, IT Operations, Cloud & Security Senior Director at Noesis

Retail trade companies face significant challenges in maintaining their competitiveness. In addition to fierce competition, they have to deal with factors that directly affect consumer behavior, such as inflation, fiscal policy, and supply chain issues. In a scenario where profits are already reduced, digital transformation has become a valuable opportunity but also a new cybersecurity threat.

Analyzing data from the National Institute of Statistics (INE) and Eurostat, it is evident that in 2022, 43% of individuals made online purchases (a 2 percentage point increase compared to the previous year), highlighting the need for companies to adapt to meet this demand. As a result, there is a growing migration of organizations to the digital world, taking advantage of the opportunity to undergo a true digital transformation of their business. However, this journey is not uniform, as companies that were unprepared had to quickly adapt to this new scenario, and many are still struggling to implement the necessary cultural and operational changes to remain agile. On the other hand, companies that have overcome organizational and technological silos are distancing themselves from the rest, gaining a competitive advantage.

The future of the digital experience in retail trade is characterized by the demand for personalized, real-time offerings, business agility, and collaboration among multidisciplinary teams, with a focus on the customer as the central element of the strategy. In terms of 2023, several trends will have a significant impact on the sector. One of them is the expansion of the omnichannel journey into new channels and micro-moments. In this sense, data becomes a fundamental element as it forms the basis of any omnichannel strategy. Personalized experiences become more efficient based on the amount of information gathered.

The aforementioned scenario makes retail and e-commerce organizations lucrative targets for cyber attacks. From large to small companies, they become extremely attractive to cybercriminals due to their processing, storage, and maintenance of confidential customer data, such as financial credentials, usernames, and passwords, which can be vulnerable to attacks.

Threat actors employ a variety of methods, ranging from simple social engineering to sophisticated attacks such as DoS/DDoS, ransomware, or credential phishing. Additionally, data breaches are another common type of attack that can negatively impact a business. To mitigate these risks, implementing a solid and comprehensive protection strategy is recommended. When a security breach occurs, the disruption and damages can vary widely, but one thing is certain: the effects spread throughout the organization, often with significant operational and financial implications. Therefore, creating a resilient organization is a necessary objective in the current scenario, but certain dimensions of the problem need to be considered.

The first is how organizations respond to a security incident. This is a critical component of a cybersecurity strategy, and before developing it, two preliminary considerations must be made: one relates to the fact that responding to a serious security incident is a process that should be trained, simulated, and systematically exercised before an actual attack occurs (similar to simulations related to physical security topics). The entire process is trained, including governance and chain of command, different stakeholders, processes and procedures involved, communication, partner roles, etc. The other consideration relates to formalizing the entire process, which should be known by everyone, including management and board members.

Contingency Plan

To develop an effective contingency plan and minimize damages in the event of successful attacks, it is crucial to implement data backup and recovery processes, as well as conduct regular testing and thoroughly document them. Secondly, it is necessary to define the contingency process in case critical systems are impacted, considering different potential impact windows.

Often, attacked companies are caught off guard and have no idea how to respond to the attack. As every minute without action can multiply the impacts on the organization, both in terms of response and containment, as well as in the recovery of services, it is essential to address the problem in a structured manner.

For governance and chain of command, it is essential to ensure that the structure leading the response is known to all stakeholders, including who is in command at each moment and who has the decision-making capacity, including war rooms and alignment points with the board and senior management, following a well-defined crisis management model.

Communication is another crucial point, especially for medium and large organizations, where it is essential to ensure communication with supervisory and regulatory entities, including those related to data protection, as well as with clients, partners, and other stakeholders.

It is also necessary to operationalize different work teams. For example, the containment team needs to be ready to identify the nature of the attack, the entry point, the affected data or systems, and isolate these systems and devices, mitigating the contagion effect. Additionally, immediate containment measures need to be initiated, including the application of security updates, as well as reconfiguring solutions or disabling components.

While one team deals with the direct response to the attack and its containment, it is necessary to have another team focused on the procedures for recovering services affected by the incident, including using backup and data recovery solutions, disaster recovery, and complete reconfiguration of architectural components. Therefore, the Service Recovery Team needs to know the priority of services to be recovered, information that should be structured and documented.

Lastly, another team, the investigation team, will be focused on forensic analysis, identifying the vulnerability or vulnerabilities at the origin of the incident, including the search for evidence related to the attack.

An essential aspect, especially for large-scale attacks, is to efficiently manage effort and teams. This is a set of critical resources crucial throughout the process, and the effort must be managed considering that we may be talking about several days or weeks. Just like in war, knowing when a critical resource should stop and be relieved is absolutely vital.

The use of partners or ecosystems is something that should also be considered. Cybersecurity is an ecosystem topic. Thus, we will increasingly see collaboration in this area, including joining efforts and capacity when responding to critical incidents is necessary.

One last important point is not to ignore the work that must be done after the incident. It is necessary to prepare a report with the main evidence, recommendations for mitigating future incidents, and suggestions for changing processes or procedures, including those related to the incident response process.

The Role of Technology

Technology is a crucial factor in prevention efforts, but it is not the only one. Companies that have been attacked, despite having cutting-edge technology, have found that the initial movements of the attack were already reflected and identified in different solutions. In other words, technology, without processes and team empowerment, does not improve the maturity of organizations in terms of security. Therefore, it is important to invest in training throughout the organization, including specialized cybersecurity teams. A significant portion of attacks starts with human errors. Thus, helping employees understand their role in security and how their actions can put the company at risk is an investment with guaranteed returns. Additionally, it is necessary to regularly perform security incident response and service recovery simulation exercises. These initiatives do not primarily focus on technology but are crucial for improving the maturity of organizations in terms of cybersecurity.

There are also good practices to be adopted, such as ensuring awareness among all employees on the subject, including risks, procedures, policies, and regular training plans. Moreover, it is important to have clear data backup policies and perform regular service recovery tests, as well as conduct audits and penetration tests, in addition to a structured vulnerability management and security event monitoring process. Having an incident response plan and conducting exercise simulations are essential.

To ensure cybersecurity, it is also important to keep systems and software updated with the latest security patches to address known vulnerabilities. It is necessary to clearly define governance, an access policy, and respective control mechanisms, including privileged access management, and conduct an inventory of all assets and their associated risks.

Cyber Threats in the National Scenario

The Cybersecurity in Portugal 2022 Report, prepared by the National Cybersecurity Center, provides an analysis of the main cybercrime indicators and incidents recorded in the country during the year. According to the study, threats related to the human factor and vulnerabilities resulting from the pandemic context persist, as well as an increase in other threats such as ransomware and vulnerability exploitation. The number of incidents and cybercrimes follows a global trend of increase, and a return to pre-pandemic levels is not expected in many cases. Furthermore, the influence of the geopolitical and international strategic context in cyberspace is expected, with manifestations of a hybrid nature, and the progressive decrease of the pandemic as the dominant topic in this area.

It is essential to be aware that cybersecurity should be a constant concern, and all companies, regardless of their size, are vulnerable to cyber attacks. However, if they do occur, it is necessary to ensure that the impacts are reduced and do not become incidents of great severity. Risk management should be a structured practice, not an empirical one.

Published (in Portuguese) in MIT Technology Review