As a general rule I don't tend to do a lot of 'academic' stuff, but for reasons too arcane to go into I entered a competition being run by the British Retail Consortium to write an essay on the cyber challenges faced by the retail industry. Now, the essay didn't win, but it did come second. which is OK by me because it means I don't have to go and present it as a paper, but I can call it a prize winning essay. It reminds me that the last time I was up for a prize for writing I was beaten to it by Ruth Rendell (another long story), but thanks to the BRC for running a competition like this. It was good to spend a week looking at something immediate and relevant rather than purely academic.
Sadly, I don't think I can use this in any way in my thesis, so I still have 100 thousand words to go, minus the 500 I have written this week - so that's 99,500 words to go. Anyway, I have pasted the essay below for those who enjoy this kind of thing. Apologies for the typos and any failure of formatting in the copy and paste!
The
cyber-security risks facing the UK retail industry are significant in terms of both
potential impact and the likelihood of an attack taking place. This is due to a combination of the
attractiveness of the retail sector as a target for cyber-attack and the
vulnerabilities that exist to be exploited by any attacker.
The
potential impact of these cyber-security risks receives regular media coverage,
and includes high profile retail victims such as Target[1]
and Home Depot[2]
where the costs of those attacks are estimated at more than a billion dollars
in the case of Target made up of a combination of litigation, fines, and
technical costs.
It
can be argued that some of the business impacts have so far been hidden either
by not being part of the headline cost or costs have been externalised for
example the cost to financial institutions of card re-issue (estimated at more
than $200 million in the case of the Target event[3].)
Deloittes estimated that up to 90% of the cost of a cyber-attack remained
hidden.[4] IT
may also be that the impact of cyber-security has not yet achieved an
appropriate level of attention due to the much higher direct financial impact
of customer theft in the sector compared to the 5% associated with cyber-crime.[5]
The
likelihood of a damaging cyber-security event taking place is governed by three
key factors. The potential value of the retail industry as a target for threat
actors, the vulnerability of the retail industry, and the capability of the
threat actors to exploit the vulnerabilities.
The
retail industry represents a hugely valuable target to a range of threat actors
in cyber-space, including cyber-criminals interested in card credentials and
identity data to enable fraud and theft; ‘hacktivists’ for whom the highly
public nature of the retail sector makes it an ideal target for politically or
ethically motivated action that might include cyber-attack or the use of
cyberspace to otherwise damage a business[6]; cyber-terrorists
for whom the disruption of the food supply through attacks on the transport or
the retail sector may be seen as a means for instilling fear in the population.
Other
business impacts of a cyber-security failing may also include punitive fines of
up to 4% of turnover under the General Data Protection Regulations (GDPR),
litigation costs due to employee and customer harm caused by data loss, and the
reputational damage of a successful cyber-attack that is estimated to decrease
the value of a company by an average of 1.8%.[7]
Retail
presents some unique challenges in terms of managing vulnerabilities. Firstly, the retail industry has a very high
dependency on technology, both in bricks and mortar stores and online, and
encompassing the whole of the retail supply chain including warehousing and
transport. The retail sector is heavily
interconnected with other sectors and vulnerable to viral malware attacks that
might originate from ‘trusted’ sources. Simple attacks such as ransomware could
carry a significant business cost both in terms of lost operational capability due
to system unavailability and increased costs for removing the malware
infection.
The
retail sector has a huge dependency on the infrastructure services from
telecommunications and Internet Service Providers through to GPS satellites and
the power grid, and the industry would need to decide what constitutes an
acceptable level of risk associated with these dependencies and maintain
awareness of infrastructural issues that may impact the sector.
However,
of more immediate concern would be the vulnerabilities within the retail
environment itself. These include the
network and system connections with external partners; an Information
Technology estate that includes EPOS terminals that may not be running on
updated levels of software; an environment where potentially malicious actors
can easily obtain physical access to the EPOS terminals (many of which remain
equipped with USB ports that can be easily exploited); unsophisticated users of
online shopping sites; employees potentially unaware of the risks in store; the
‘insider threat’ from a disgruntled employee; and, the case of small retailers,
an environment where there is unlikely to be any easily available IT support
capability.
The
combination of being a high-value target, the potential business impact, and a
highly vulnerable environment adds up to significant cyber-risk.
Addressing
these risks will require a partnership involving industry, government and law
enforcement. The remainder of this essay
offers and initial seven recommendation for action.
1.
Cyber-security
to be agreed to be a mission critical element of the business with board level
representation in major retailers.
2. Adopt an industry wide approach
to cyber-security. This is a shared risk where many attacks are opportunistic
in that they look for a weakness in any target rather than a specific target.
An industry wide risk assessment may be an effective first step.
3. Get the basics right, including
software levels and patching, data back-up, and encryption of key data at rest
and in motion. Strategically, by following
a set of guidelines such as those provided by NIST[8], many
cyber-risks can be mitigated. Cyber-security is an ongoing process with no
absolute victories.
4. Ensure the retail sector is
explicitly included within the remit of the National Cyber Security Strategy[9] and
identified as being of Critical National Importance.[10]
5. Ensure effective threat
intelligence is available. Organisations
such as the Retail Cyber-Intelligence Sharing Centre (R-CISC) may be a
reasonable model - adjusted for a UK focus.[11] This threat intelligence needs to specific to
the UK retail industry and shared effectively with law enforcement and across
the industry and may be extended to be an ‘Action Fraud for Business’.
6. Extend and expand sector specific
education and information such as the BRCs Cyber Security Toolkit.[12]
7.
Solutions
for small retailers to be encouraged from within the cyber security industry.
These
recommendations should be read in the context that cyber-security is an ongoing
process and there are no absolute solutions to the risk. Attackers will adapt
to any defensive measure adopted by the sector, and risk reduction and
mitigation remains the main focus at this time.
[2] https://www.sans.org/reading-room/whitepapers/casestudies/case-study-home-depot-data-breach-36367 accessed on 14th May 2017.
[4] http://www.csoonline.com/article/3110756/data-breach/a-deeper-look-at-business-impact-of-a-cyberattack.html accessed on 14th May 2017.
[5] https://brc.org.uk/media/116322/10081-brc-retail-crime-survey-2016_v6.pdf accessed on 14th May 2017.
[6] This has been
seen in the cyber-driven Electronic Intafada targeting Sodastream and social
media driven campaigns such as the #grabyourwallet targeting the Ivanka brand.
[7] http://www.information-age.com/cyber-breaches-cost-plcs-1-8-company-value-123465693/ accessed on 14th May
2017.
[8] National Institute of Standards
& Technology Framework for Improving Critical Infrastructure Cybersecurity.
Available at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf downloaded on 14th May 2017.
[9] National Cyber Security Strategy
2016 – 2021 available at https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021 downloaded on 14th May 2017.
[10] The retail industry is unique as
a sector in terms of its importance to the daily lives of the population of the
UK both as an employer and as a provider of goods and services, but as a
sector, is not specified as a part of the critical national infrastructure or
explicitly referenced within the 2016 Cyber Security Strategy except as a
participant in the ‘Cyber-Aware’ campaign aimed at small businesses.
[11] It should be noted that even in
the US the R-CISC appears to be less mature than the Financial Services CISC
possibly does not fully reflect best practice.
[12] BRC Cyber Security Toolkit
available at https://brc.org.uk/media/120731/brc-cyber-security-toolkit_final.pdf accessed on 14th May 2017.