In part one of this series, we discussed the topic of sustainability and its impact on the retail sector.
In this part we are going to switch gears and look at the impact of the current security landscape. As mentioned in part one, I was joined by Ian Scott (Independent Retail Consultant), Peter Critchley, (UK CEO for Trison), David Dobson (Global Industry Director Retail, Intel Corporation) and Jane Liston (Retail Sales Manager, CDW). However, we had to let one person escape per discussion topic to complete our Retail Trends filming. In this session we released Ian and welcomed David back into the conversation.
Retail Security
Security is understandably front of mind for almost all organisations at the moment; not a week goes by without a story of another high-profile breach. Jane reflected on this in her opening thoughts on the topic:
"Security has obviously always been important, but at this moment in time, it’s absolutely front-and-centre. Recent cyber-attacks on big name retailers are having a really devastating impact, and so many within such a short space of time shows how organised these cyber-attacks are getting."
From my perspective, it was key to make sure we circled back to offer some practical advice and share something tangible retail organisations can do in the face of this increasing threat landscape. More on this at the end of the article.
When we look at the overall retail market we cannot miss the move to a more digital footprint. That could be online or in-store or as part of supply chain; the use of technology is critical and exploding. David reflected on this:
"There's kind of a double-edged sword with this technology adoptions. You want all this information stored digitally in your business. But, having all that information stored digitally, creates new attack surfaces, new ways for people to potentially access that data."
This has been a big focus for Intel over the past few years: how to help secure those digital platforms that everyone relies upon. David went on to say, "Intel has been working very hard on our technology to make sure that it is secured, which provides that secure platform for the digital environment that retailers are reliant upon."
As we reflected upon the critical mass building in the cyber space, I posted a question to the group: "What are consumers thinking? How do they feel when they see these news articles?"
Peter had the following thoughts:
"Reputationally, I think it's really important. It's a very, very long bridge to cross back to a happy place with a brand if you've been told that your personal details have been hacked and shared, especially if they can't be sure what has been hacked or who has been impacted."
Jane added a view as a consumer:
"As an avid shopper, I'm happy that I don't always have to input my card details as shops have them stored; it's really convenient. However, I'm also aware that this is potentially a safety risk, and you do sometimes question whether it's safe."
David added the following perspective: "Yeah I think that there are three angles to this, the brand side, the regulation side and the third thing is there's loss of sales, right? I mean, in some of these examples recently stores have had to close.”
At CDW, one of the things we have been talking to customers about over the last few months is the need to focus as much on withstanding attacks as we do on surviving them. Taking an honest look at the word Resilience tells us it’s the ability to withstand and survive. There has been a pivot to recoverability that has left gaps in basic process and procedure, which would help keep the attackers out in the first place. With the reputational and revenue impacts of a breach, it’s hard to ignore.
Peter had a couple of excellent points on how to manage the impact of a breach:
"I think how you communicate that message is really important as well, especially when it's happened. How do you crisis-manage these situations? You see good and bad examples, so I believe the only way to be sure is to engage at the beginning and make sure you have a plan, and to make sure you clearly understand how you protect your vital assets in the business. These are not just your brand and your customers’ details, but the people that work in your business as well."
"If you're providing digital touchpoints in a retail space, if you're doing Epos systems or kiosks or you're providing a personalised shopping experience, do you actually even need to have an email address? Do you need to have a phone number? Is there a way of engaging with people that protects you and them by anonymising it in that space? "
This last point is so critical. It’s become the norm to try and over-collect information on our consumers, as it’s seen as valuable data to help inform decisions. The question about the level of specificity is critical though; do you need to know it was Bob who bought that product or just that it was a 25-year-old male?
David raised a strong point that in the retail sector balancing innovation and security can be a challenge. "Retail is continual innovation space, so we are launching new services, we are adding new things we are talking to our customers in different ways. That sometimes creates unforeseen access or gaps in security posture."
As the discussion came to a close, I asked each to give a closing view on how they think retailers can make an impact on this challenge.
Peter shared a view on the insider threat issue and how we control access to critical systems:
"You could enable all the security you like. But, if you have a disgruntled employee who's walking away that day, has access to a digital signage network and wants to put something on it, they have access and they can do it. So, being able to quickly suspend accounts, being able to have rules in place that moderate content automatically, whether it's using AI or other systems, is really key."
David pointed to the use of AI as an enabler to fight the threat actors:
"I think there's a smart way of using artificial intelligence to start to uncover some of those new ways that people have of accessing your systems. So, once the system is installed, how do you make sure that it stays safe and it stays, secure?"
Jane took a holistic view, espousing the opinion that it can no longer be ok to accept second best:
"I think security must underpin everything you do. Any time a solution is deployed, security has got to be a foundation, not a nice to have. You can’t think, you know what? We can get away with this product with weak security as it's 50% cheaper. You're going to end up paying for that in the future"
Personally, I circle back to CDW’s Cyber Resilience framework we call Visualise, Withstand, Survive.
These are the three core pillars that we talk to customers about. If you don't understand what you have, how can you make informed decisions on how to protect that stuff? Then you can actually make informed decisions and help your organisation withstand that attack.
Hopefully if you do it in this order, you can minimise the amount of time you have to spend surviving from the attack. The problem is that most organisations don’t complete the Visualise stage in detail and find themselves in the middle of a Survive situation.
To listen to our podcast on this topic visit CDW OCTOPod
Contributors
-
Rob Sims
Chief Technologist - Hybrid Platforms