One of the reasons why cybercriminals take an interest in the retail sector is due to the level of customer data collected, particularly through ecommerce and online shopping platforms.

We hear of the big companies being attacked in the press but not the small retailers – but they are attacked and are often more vulnerable than the larger organisations which probably have a team focused on cyber security.

At the Cyber Resilience Centre for Wales (WCRC) we have spoken to businesses across Wales which have suffered from cyberattacks and seen first-hand that no retailer is too small or large to fall victim to cybercrime. It really doesn’t matter whether you have 10 customers or 10,000, the information you retain on them is still of huge value to cybercriminals.

Why retail and ecommerce businesses are attractive targets

Recent research by PwC on its client base revealed that cyber-attacks on retail clients had increased by over 30%, demonstrating that the retail and ecommerce industry is of interest to cybercriminals.

Within only a few months, the pandemic accelerated the shift to ecommerce/online stores by five years, meaning there is now more public and private data stored in the cloud than ever before.

From March 2019 to March 2021, there was an 8% increase in the opening of retail businesses. And, with 98% of UK businesses now operational online in one way or another, benefiting hugely from the use of websites, social media, online banking, and the ability for customers to shop online, it’s no surprise that cybercrime is on the up.

The retail sector has had a really tough time over the last 18 months but a successful cyberattack will result in a disruption to operations and can have a significant impact on a retailer’s ability to trade. Research suggests that over half of employees working in retail don’t understand the cyber security implications of poor password hygiene highlighting just how critical it is to improve cyber security awareness in this sector.

The Hiscox Cyber Readiness Report 2021 suggests that one in six businesses hit with a cyber event reported it threatened the viability of their business. A report compiled by Keeper Security - the ’2021 Cybersecurity Census Report’ - focuses on the experience of the UK retail sector, revealing that companies experienced 44 cyberattacks in the last 12 months - roughly one every 8 days.

In light of this, three-quarters (77 per cent) of retailers believe that the number of cyberattacks they are faced with will only increase in the next 12 months and, with that, bring increased disruption to the entire retail ecosystem.

Type of attacks retail and ecommerce businesses face

Ransomware is the main threat to Welsh businesses. This is a type of malware that encrypts data on your computer, making it unusable. The cybercriminal then demands the payment of a ransom to decrypt the data. This data could relate to customers, invoices, point of sale or operating systems.

The annual review published by The National Cyber Security Centre (NCSC), the UK’s technical authority for cyber security, reveals the onslaught of ransomware attacks shows no sign of easing in the future. In the first four months of 2021 alone, the NCSC reported that it handled the same number of ransomware incidents as for the whole of 2020 - a number that was itself already more than three times greater than in 2019.

Attacks on web applications such as a company’s online payment system are common for retail companies to suffer. This is where attempts are made to gain access to the payment system and install malicious code that will steal credit card details of customers. This stolen data is often then sold on to other online criminals for a profit.

Similarly, another method of attack experienced in the retail sector and food and beverage industry is at point-of-sale (POS). This is when malicious software (malware) is installed on systems used to conduct financial transactions and is designed to steal customer payment details, particularly credit card data from checkout systems.

Retail and ecommerce businesses also face cyberattacks via their websites. This often sees websites going offline which will result in a loss of sales and frustrated customers. Another way in which they will attack a website is through a distributed denial-of-service (DoS) attack, which is an attempt to overwhelm an ecommerce platform with things like fake online orders and spam customer service enquiries.

Tips for staying safe

Retailers should take a deep look at their cyber security to understand the risks associated with running a retail or ecommerce store. To help, we’ve created five top tips for you to take to help protect your business from a cyberattack.

1) Use strong passwords and store them securely - passwords are the first level of protection when it comes to securing online accounts or customer data. Complex passwords can often be difficult to remember, which often leads to people choosing weaker passwords or repeating them across multiple accounts. The National Cyber Security Centre (NCSC) - a government organisation that provides advice and support for the public and private sector on how to avoid computer security threats - encourages the use of three random words, such as JacketSkirtOutfit to help protect against common issues like brute force attacks. This is where a hacker uses software that tries many passwords with the hope of guessing it correctly.

Another tip is to include using words in Welsh language, symbols, capital letters and numbers to make it even more secure. It’s incredibly difficult to remember them all so we encourage the use of a password manager which will store multiple passwords securely.

2) Double up your cyber protection – two-factor authentication (2FA) or multi-factor authentication (MFA) is designed to help stop cyber criminals accessing your accounts even if they obtain your passwords. It ensures that any new device trying to log in or make account changes needs a second layer of security before access is given. Some common methods of 2FA include a single-use code being sent via SMS, email, phone, or smartphone application. Below are instructions on how to enable 2FA for the most common email systems and popular social media channels.

2FA for email - Gmail (opens in a new tab), Yahoo (opens in a new tab), Outlook (opens in a new tab) and AOL (opens in a new tab)

2FA for social media - Instagram (opens in a new tab), Facebook (opens in a new tab), Twitter (opens in a new tab) and LinkedIn (opens in a new tab).

3) Regularly backup your data and isolate it - how long you would be able to operate without business-critical data, such as customer details, quotes, orders, payment details? To help keep your files and data safe, you should secure digital backups with a password or encryption and keep them isolated from their associated network. By doing this, you're ensuring your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have backups of your data that you can quickly recover and avoid potential blackmail by ransomware attacks.

4) Update your software - every piece of software your business uses, whether this be for payment transactions or a stock management system, offers the potential for unauthorised access and exploitation. Good cyber security practice means keeping computers, devices, applications, and software patched and up to date, and where you can, add the use of two-factor authentication with strong passwords.

Regularly patching and installing software updates helps protect devices, as the updates will expose new flaws and vulnerabilities, which cybercriminals can use to wreak havoc. Software and app updates are designed to fix these weaknesses and installing them as soon as possible will keep your devices secure.

When setting up new devices you should also remove any unnecessary pre-installed software, while ensuring that they have firewall protection enabled and are running up-to-date anti-virus software.

5) Pay attention to detail - human error is one of the main contributing factors to the majority of cyber security breaches, in fact it’s reported that 95% of cyber security breaches are primarily caused by human error.

While people can often be the weakest link in the chain, educating colleagues will help them become your strongest asset in protecting your business. The key to security awareness training is to equip all your employees with a level of awareness to combat cyber threats. Employees need to be taught what clues to look for.

The WCRC offers free core membership to help level the playing field for smaller businesses in Wales wishing to improve their cyber safety through simple yet effective ways. It takes just a matter of moments to sign up and receive regular guidance, cyber threat updates, resources, toolkits and more.