Skip to main content

Cyber Security and the Retail Sector - A Prize Winning Essay

As a general rule I don't tend to do a lot of 'academic' stuff, but for reasons too arcane to go into I entered a competition being run by the British Retail Consortium to write an essay on the cyber challenges faced by the retail industry.   Now, the essay didn't win, but it did come second. which is OK by me because it means I don't have to go and present it as a paper, but I can call it a prize winning essay.  It reminds me that the last time I was up for a prize for writing I was beaten to it by Ruth Rendell (another long story), but thanks to the BRC for running a competition like this.  It was good to spend a week looking at something immediate and relevant rather than purely academic.

Sadly, I don't think I can use this in any way in my thesis, so I still have 100 thousand words to go, minus the 500 I have written this week - so that's 99,500 words to go.  Anyway, I have pasted the essay below for those who enjoy this kind of thing.  Apologies for the typos and any failure of formatting in the copy and paste!

The cyber-security risks facing the UK retail industry are significant in terms of both potential impact and the likelihood of an attack taking place.  This is due to a combination of the attractiveness of the retail sector as a target for cyber-attack and the vulnerabilities that exist to be exploited by any attacker.
The potential impact of these cyber-security risks receives regular media coverage, and includes high profile retail victims such as Target[1] and Home Depot[2] where the costs of those attacks are estimated at more than a billion dollars in the case of Target made up of a combination of litigation, fines, and technical costs.  
It can be argued that some of the business impacts have so far been hidden either by not being part of the headline cost or costs have been externalised for example the cost to financial institutions of card re-issue (estimated at more than $200 million in the case of the Target event[3].) Deloittes estimated that up to 90% of the cost of a cyber-attack remained hidden.[4] IT may also be that the impact of cyber-security has not yet achieved an appropriate level of attention due to the much higher direct financial impact of customer theft in the sector compared to the 5% associated with cyber-crime.[5]
The likelihood of a damaging cyber-security event taking place is governed by three key factors. The potential value of the retail industry as a target for threat actors, the vulnerability of the retail industry, and the capability of the threat actors to exploit the vulnerabilities.
The retail industry represents a hugely valuable target to a range of threat actors in cyber-space, including cyber-criminals interested in card credentials and identity data to enable fraud and theft; ‘hacktivists’ for whom the highly public nature of the retail sector makes it an ideal target for politically or ethically motivated action that might include cyber-attack or the use of cyberspace to otherwise damage a business[6]; cyber-terrorists for whom the disruption of the food supply through attacks on the transport or the retail sector may be seen as a means for instilling fear in the population.
Other business impacts of a cyber-security failing may also include punitive fines of up to 4% of turnover under the General Data Protection Regulations (GDPR), litigation costs due to employee and customer harm caused by data loss, and the reputational damage of a successful cyber-attack that is estimated to decrease the value of a company by an average of 1.8%.[7]
Retail presents some unique challenges in terms of managing vulnerabilities.   Firstly, the retail industry has a very high dependency on technology, both in bricks and mortar stores and online, and encompassing the whole of the retail supply chain including warehousing and transport.  The retail sector is heavily interconnected with other sectors and vulnerable to viral malware attacks that might originate from ‘trusted’ sources. Simple attacks such as ransomware could carry a significant business cost both in terms of lost operational capability due to system unavailability and increased costs for removing the malware infection.
The retail sector has a huge dependency on the infrastructure services from telecommunications and Internet Service Providers through to GPS satellites and the power grid, and the industry would need to decide what constitutes an acceptable level of risk associated with these dependencies and maintain awareness of infrastructural issues that may impact the sector.
However, of more immediate concern would be the vulnerabilities within the retail environment itself.  These include the network and system connections with external partners; an Information Technology estate that includes EPOS terminals that may not be running on updated levels of software; an environment where potentially malicious actors can easily obtain physical access to the EPOS terminals (many of which remain equipped with USB ports that can be easily exploited); unsophisticated users of online shopping sites; employees potentially unaware of the risks in store; the ‘insider threat’ from a disgruntled employee; and, the case of small retailers, an environment where there is unlikely to be any easily available IT support capability.
The combination of being a high-value target, the potential business impact, and a highly vulnerable environment adds up to significant cyber-risk.
Addressing these risks will require a partnership involving industry, government and law enforcement.  The remainder of this essay offers and initial seven recommendation for action.
1.      Cyber-security to be agreed to be a mission critical element of the business with board level representation in major retailers.
2.      Adopt an industry wide approach to cyber-security. This is a shared risk where many attacks are opportunistic in that they look for a weakness in any target rather than a specific target. An industry wide risk assessment may be an effective first step.
3.      Get the basics right, including software levels and patching, data back-up, and encryption of key data at rest and in motion.  Strategically, by following a set of guidelines such as those provided by NIST[8], many cyber-risks can be mitigated.   Cyber-security is an ongoing process with no absolute victories.
4.      Ensure the retail sector is explicitly included within the remit of the National Cyber Security Strategy[9] and identified as being of Critical National Importance.[10]
5.      Ensure effective threat intelligence is available.  Organisations such as the Retail Cyber-Intelligence Sharing Centre (R-CISC) may be a reasonable model - adjusted for a UK focus.[11]  This threat intelligence needs to specific to the UK retail industry and shared effectively with law enforcement and across the industry and may be extended to be an ‘Action Fraud for Business’.
6.      Extend and expand sector specific education and information such as the BRCs Cyber Security Toolkit.[12]
7.      Solutions for small retailers to be encouraged from within the cyber security industry.
These recommendations should be read in the context that cyber-security is an ongoing process and there are no absolute solutions to the risk. Attackers will adapt to any defensive measure adopted by the sector, and risk reduction and mitigation remains the main focus at this time.

[6] This has been seen in the cyber-driven Electronic Intafada targeting Sodastream and social media driven campaigns such as the #grabyourwallet targeting the Ivanka brand.
[8] National Institute of Standards & Technology Framework for Improving Critical Infrastructure Cybersecurity. Available at downloaded on 14th May 2017.
[9] National Cyber Security Strategy 2016 – 2021 available at downloaded on 14th May 2017.
[10] The retail industry is unique as a sector in terms of its importance to the daily lives of the population of the UK both as an employer and as a provider of goods and services, but as a sector, is not specified as a part of the critical national infrastructure or explicitly referenced within the 2016 Cyber Security Strategy except as a participant in the ‘Cyber-Aware’ campaign aimed at small businesses.
[11] It should be noted that even in the US the R-CISC appears to be less mature than the Financial Services CISC possibly does not fully reflect best practice.
[12] BRC Cyber Security Toolkit available at accessed on 14th May 2017.


Popular posts from this blog

Non-Academic Publishing

As part of the PhD process that is now (thank heavens) rapidly approaching its end, there have been several discussions suggesting that publishing some papers in 'respected academic journals' would be 'a good thing'.   There are a number of chapters in the PhD that could be carved out and turned into stand alone papers, but I have to be honest, after nearly four years, I am more likely to tear them out and burn them. 

I digress.

Having spent four years reading academic journals, I'm  not so sure about the value of contributing to them.  If I want to have a pointless debate about issues of definition I can do that when taking the kids to school. (This morning's starter for ten:  "Now that my son is 18 and technically an adult,does this mean my daughter is an only child?"  Son's view is no, daughter's view - well you can probably guess).

I digress again. 

The issue for me (and if you are one of my 12 regular twitter followers you will know this)…

AI and the Internet: Sometimes it feels like the 1990s again

Over the past few months I have been (as well as editing the thesis) looking at the world of Artificial Intelligence developments, mainly in relating to working it into a module on an undergraduate BA course called Technology and National Security. (That's the name of the module which is 13 two hour lectures and 13 two hour tutorials, covering everything from the nature of war, through military ethics, to robotics, drones and automated weapons, with a quick detour through cyber-security and global security governance.  Very interesting if intensely depressing subject matter. Much more on this module in posts over the next few months as I finish up the materials).

Anyway, the over-riding feeling I was getting when looking at the state of AI developments was that it was just like the commercialisation of the Internet in the 1990s.    In brief:

1. Nobody is too sure how it is going to play out in the long term. 

Just like the commercial Internet in the 1990s there is a huge question …

So why are the NCSC so relaxed about Huawei?

I am struggling to work out why the NCSC seems to wedded to their capability to mitigate risks associated with Huawei kit in the UK telecoms network.  The current argument is very much about the risks are less about being Chinese and more about being not very good. It's worth noting that this is not why HCSEC was set up in 2010 and is in fact only a concern that was first fully referenced in the 2016 Oversight Committee report so the argument is possibly somewhat disingenuous.

It may well be that the reasons are completely mundane - it is very embarrassing for GCHQ to admit that after ten years of saying they can mitigate the risks to start claiming they can't and their arguably petulant reaction to the RUSI report shows that they do not like being publicly embarrassed.

So why are the NCSC/GCHQ so relaxed about Huawei?  Some (fairly random) thoughts:

1. They really can mitigate the risk of Chinese equipment in the UK telecommunications infrastructure.  This is what they would …