Modern retailers are data driven, and valuable PII and payment data makes any organisation selling online an attractive and obvious target for attackers to either steal data or deny access to it (seeking a ransom).
The retail industry is actively targeted; a recent whitepaper by Sophos - The State of Ransomware in Retail 2022 - reported a dramatic increase in the level of attacks against the sector: "77% of retail organisations were hit by ransomware in 2021, up from 44% in 2020."
It is now no longer a matter of when or if the attack happens, but how much damage it causes and whether the organisation can survive.
Organisations correctly spend considerable resources on increasing security to reduce the likelihood and impact of an attack by implementing protective and reactive controls, like patching, configuration management and SOCs (Security Operations Centres), which will have a significant impact in reducing the level of risk.
However, it will never eliminate the risk entirely.
HONESTY IS THE BEST POLICY
Press and popular opinion suggest that cyber security breaches can result in huge, and sometimes irrecoverable, reputational damage. Therefore, without proper response and recovery plans, a company's chance of survival is lower.
Organisations still fear disclosing such breaches, as being open and honest exposes them to this reputational impact. Yet the stark reality is that consumers and the media are increasingly likely to find out about a breach. The attackers themselves may even disclose it for greater impact.
Besides potentially being illegal, denying a breach, trying to minimise the impact, or communicating in complex and evasive language is doomed to failure. When organisations retract or update statements, or when other sources provide contradictory information, it reduces trust in an already damaged brand.
Customers need to know - and, most importantly, trust - that you understand the impact on them and are working hard to resolve it.
When shipping company Maersk fell victim to the NotPetya attack in 2017, its clear and straightforward communication, swift and decisive action, and efforts to keep serving customers not only saved its business but also resulted in the company becoming a beacon for corporate responsibility.
So what do you do? A sound, robust response will enable organisations to survive and could yield positive outcomes for well-prepared retailers:
- Plan - What would your organisation do
in the first hour, day, week, and month of an attack and the
recovery? Not just the technical requirements, but how do you limit
harm? How do you communicate with staff, third parties, the
authorities, and, most importantly, the customers and those
directly impacted? Who will lead this communication effort?
- Rehearse - Releasing negative news is
very difficult and exceptionally uncomfortable, but it is a learnt
skill. The fear of repercussions and human nature tends to make us
minimise the event and respond aggressively to
challenge.
- Communicate - However good your media
and executive team are, they need to deliver a press release that
is clear, honest, and helpful. Your spokespeople need to practise
looking into the lens of a camera and communicating clearly and
showing empathy. It is better to have the awkward experience of
getting it wrong in the rehearsal than during a real
incident.
Customer service teams need to be taught and rehearsed in how to deal with scared and angry customers. If someone is scared that their credit card details have been stolen from your system, they are vulnerable and need help and support - it is not the time to put them on hold or communicate badly. How do you tell them that you're very sorry, but you can't deliver the product or take the order whilst retaining their loyalty at the same time? The skill is honest communication - another learnt skill that benefits from practice.
Planning for a serious incident and the ensuing recovery isn't cheap. It will likely require specialist external support and time from the executive, technical, operational and customer support teams. It needs to be updated and rehearsed regularly.
In the heat of an incident, this can all make the difference between an organisation that is seen as the victim of crime, who took it seriously, went the extra mile to protect customers and will recover, versus one that has poor security, tried to hide it, and allowed customers to suffer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.