Tuesday, September 5, 2017

Cyber Security and the Retail Sector - A Prize Winning Essay

As a general rule I don't tend to do a lot of 'academic' stuff, but for reasons too arcane to go into I entered a competition being run by the British Retail Consortium to write an essay on the cyber challenges faced by the retail industry.   Now, the essay didn't win, but it did come second. which is OK by me because it means I don't have to go and present it as a paper, but I can call it a prize winning essay.  It reminds me that the last time I was up for a prize for writing I was beaten to it by Ruth Rendell (another long story), but thanks to the BRC for running a competition like this.  It was good to spend a week looking at something immediate and relevant rather than purely academic.

Sadly, I don't think I can use this in any way in my thesis, so I still have 100 thousand words to go, minus the 500 I have written this week - so that's 99,500 words to go.  Anyway, I have pasted the essay below for those who enjoy this kind of thing.  Apologies for the typos and any failure of formatting in the copy and paste!


The cyber-security risks facing the UK retail industry are significant in terms of both potential impact and the likelihood of an attack taking place.  This is due to a combination of the attractiveness of the retail sector as a target for cyber-attack and the vulnerabilities that exist to be exploited by any attacker.
The potential impact of these cyber-security risks receives regular media coverage, and includes high profile retail victims such as Target[1] and Home Depot[2] where the costs of those attacks are estimated at more than a billion dollars in the case of Target made up of a combination of litigation, fines, and technical costs.  
It can be argued that some of the business impacts have so far been hidden either by not being part of the headline cost or costs have been externalised for example the cost to financial institutions of card re-issue (estimated at more than $200 million in the case of the Target event[3].) Deloittes estimated that up to 90% of the cost of a cyber-attack remained hidden.[4] IT may also be that the impact of cyber-security has not yet achieved an appropriate level of attention due to the much higher direct financial impact of customer theft in the sector compared to the 5% associated with cyber-crime.[5]
The likelihood of a damaging cyber-security event taking place is governed by three key factors. The potential value of the retail industry as a target for threat actors, the vulnerability of the retail industry, and the capability of the threat actors to exploit the vulnerabilities.
The retail industry represents a hugely valuable target to a range of threat actors in cyber-space, including cyber-criminals interested in card credentials and identity data to enable fraud and theft; ‘hacktivists’ for whom the highly public nature of the retail sector makes it an ideal target for politically or ethically motivated action that might include cyber-attack or the use of cyberspace to otherwise damage a business[6]; cyber-terrorists for whom the disruption of the food supply through attacks on the transport or the retail sector may be seen as a means for instilling fear in the population.
Other business impacts of a cyber-security failing may also include punitive fines of up to 4% of turnover under the General Data Protection Regulations (GDPR), litigation costs due to employee and customer harm caused by data loss, and the reputational damage of a successful cyber-attack that is estimated to decrease the value of a company by an average of 1.8%.[7]
Retail presents some unique challenges in terms of managing vulnerabilities.   Firstly, the retail industry has a very high dependency on technology, both in bricks and mortar stores and online, and encompassing the whole of the retail supply chain including warehousing and transport.  The retail sector is heavily interconnected with other sectors and vulnerable to viral malware attacks that might originate from ‘trusted’ sources. Simple attacks such as ransomware could carry a significant business cost both in terms of lost operational capability due to system unavailability and increased costs for removing the malware infection.
The retail sector has a huge dependency on the infrastructure services from telecommunications and Internet Service Providers through to GPS satellites and the power grid, and the industry would need to decide what constitutes an acceptable level of risk associated with these dependencies and maintain awareness of infrastructural issues that may impact the sector.
However, of more immediate concern would be the vulnerabilities within the retail environment itself.  These include the network and system connections with external partners; an Information Technology estate that includes EPOS terminals that may not be running on updated levels of software; an environment where potentially malicious actors can easily obtain physical access to the EPOS terminals (many of which remain equipped with USB ports that can be easily exploited); unsophisticated users of online shopping sites; employees potentially unaware of the risks in store; the ‘insider threat’ from a disgruntled employee; and, the case of small retailers, an environment where there is unlikely to be any easily available IT support capability.
The combination of being a high-value target, the potential business impact, and a highly vulnerable environment adds up to significant cyber-risk.
Addressing these risks will require a partnership involving industry, government and law enforcement.  The remainder of this essay offers and initial seven recommendation for action.
1.      Cyber-security to be agreed to be a mission critical element of the business with board level representation in major retailers.
2.      Adopt an industry wide approach to cyber-security. This is a shared risk where many attacks are opportunistic in that they look for a weakness in any target rather than a specific target. An industry wide risk assessment may be an effective first step.
3.      Get the basics right, including software levels and patching, data back-up, and encryption of key data at rest and in motion.  Strategically, by following a set of guidelines such as those provided by NIST[8], many cyber-risks can be mitigated.   Cyber-security is an ongoing process with no absolute victories.
4.      Ensure the retail sector is explicitly included within the remit of the National Cyber Security Strategy[9] and identified as being of Critical National Importance.[10]
5.      Ensure effective threat intelligence is available.  Organisations such as the Retail Cyber-Intelligence Sharing Centre (R-CISC) may be a reasonable model - adjusted for a UK focus.[11]  This threat intelligence needs to specific to the UK retail industry and shared effectively with law enforcement and across the industry and may be extended to be an ‘Action Fraud for Business’.
6.      Extend and expand sector specific education and information such as the BRCs Cyber Security Toolkit.[12]
7.      Solutions for small retailers to be encouraged from within the cyber security industry.
These recommendations should be read in the context that cyber-security is an ongoing process and there are no absolute solutions to the risk. Attackers will adapt to any defensive measure adopted by the sector, and risk reduction and mitigation remains the main focus at this time.







[6] This has been seen in the cyber-driven Electronic Intafada targeting Sodastream and social media driven campaigns such as the #grabyourwallet targeting the Ivanka brand.
[8] National Institute of Standards & Technology Framework for Improving Critical Infrastructure Cybersecurity. Available at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf downloaded on 14th May 2017.
[9] National Cyber Security Strategy 2016 – 2021 available at https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021 downloaded on 14th May 2017.
[10] The retail industry is unique as a sector in terms of its importance to the daily lives of the population of the UK both as an employer and as a provider of goods and services, but as a sector, is not specified as a part of the critical national infrastructure or explicitly referenced within the 2016 Cyber Security Strategy except as a participant in the ‘Cyber-Aware’ campaign aimed at small businesses.
[11] It should be noted that even in the US the R-CISC appears to be less mature than the Financial Services CISC possibly does not fully reflect best practice.
[12] BRC Cyber Security Toolkit available at https://brc.org.uk/media/120731/brc-cyber-security-toolkit_final.pdf accessed on 14th May 2017.