Cyber-security cost hits UK high street hard

07 August 2019 4 min. read
More news on

With the UK high street currently floundering amid falling consumer power and heightened import prices, the country’s retailers have happily followed the global trend of turning to digitalisation to improve their customer experience and find efficiency savings. However, these opportunities do not come without risks, and new analysis shows that the number of cyber breaches in retail more than doubled in 2018, resulting in disruption, reputational damage and significant financial losses.

In August 2018, health and beauty retailer Superdrug Stores admitted to a security breach that potentially compromised names, addresses, and in some cases, dates of birth and phone numbers of 20,000 customers. The hackers held the data ransom for an undisclosed sum, providing details of 386 customers to prove the validity of their claims, which Superdrug was able to verify.

The company suffered notable reputational damage from the episode, initially failing to apologise to those affected when announcing the breach, while the cancellation of accounts for customers was only available at first via a paid phone line. Amid the fury from consumers, however, companies who are the victims of hacks like this could also be stung financially. Since the EU’s General Data Protection Regulation (GDPR) and GDPR-aligned UK data protection legislation came into effect, organisations are under increased pressure to ensure personal data is kept securely, or else face a range of punitive measures that could seriously affect their bottom line.

Who are Survivors

In the tumultuous British retail scene, the threat of a cyber-attack is emphasised even further, then. While many companies have turned to digital technologies to make customer interactions easier, create additional sales channels and add additional efficiencies on the backend, they open up new short and long term risks. Cybercrime is continuing to increase, as criminals become more sophisticated and diverse, meaning firms who fail to beef up their security efforts are at risk of falling prey to them.

To understand how such events are currently affecting UK retail businesses, BDO has published a report into the cyber-threats facing high street firms as they push deeper into the digital realm. Retail is a key target of financially motivated attackers, largely due to the large number of credit cards used as part of the wider purchase process. Once captured, they can be quickly monetised through illegal markets.

The frequency of breaches in the retail industry has continued to rise. Between 2017 and 2018 the number of breaches multiplied by 2.5 times, with a quarter reporting being breached more than once. In total 957 breaches of UK retail businesses occurred in Q1 2018, representing a 17% increase on Q3 2017. One major issue facing affected consumers is that they find out that their details have been breached months after the fact. In 2018 for instance, it took an average of 196 days for a breach to be detected – by which time a large amount of data and money had already been lost.

Insider threats continue to plague the industry, largely from staff neglect (63% of incidents), while 83% of companies have seen staff incidents where they accidentally exposed customer or business data. Despite this, BDO found that many companies may not have been making security a priority – which has seen upper management and board level oversight increase. However, even with increased oversight, many still lack a coherent strategy or even lack one completely in some instances.

Who are Thrivers

Gregory A. Garrett, Head of International Cybersecurity for BDO, said of the findings, “The retail and consumer products industry is facing increasing number of sophisticated cyber-attacks... Unfortunately, the global retail industry has not made sufficient investments in their cybersecurity policies, plans, procedures, and methods of defence, especially with their respective supply chain partners. As a result, the average cost of a cyber-data breach in the retail industry continues to climb every year and so does the average cost of cyber liability insurance coverage.”

According to the research, two varieties of companies have been able to mitigate cyber-risks, however. So-called ‘Thrivers’ are e-commerce-centric and have adopted technology early, and thus enjoy a competitive advantage on late-comers when understanding and dealing with risks, enabling them to plan ahead for worst-case-scenarios while improving products and convenience levels. While the majority of Thrivers are pure-play e-commerce outfits, the segment also includes specialist traditional retailers.

At the same time, ‘Survivors’ are technology laggards, but adopt a hyper-cautious, risk-averse, approach to technology to compensate for this, while focusing heavily on the single area of customer service to minimise potential distractions from security. Department stores make up the largest portion of Survivors, followed by discount retailers.