1. Comment
March 21, 2017

Cyber security: what legislation changes mean for retailers

By GlobalData Retail

Cyber attacks can lead to leakage of confidential information such as financial records and customer data, as well as loss of money, intellectual property and trade secrets.

Retailers have a duty to improve cyber security to guard against cyber crime and protect their reputations.

What is the impact of cyber crime on retail?

Total e-retail expenditure in the UK will grow by 35.0 percent from 2017 to 2022, making retail a prime target for criminal activity online. The amount of customer information retailers possess is growing and becoming more detailed. As the data becomes more valuable, the hacking becomes more lucrative – and savvy cyber criminals are sharing skills, knowledge and existing malware to attack.

Cyber onslaughts such as October 2016’s largest ever denial of service (DDoS) attack on a server used by Twitter, Netflix and the Guardian, are becoming exceedingly sophisticated.

What is the new legislation and how will it affect retailers?

To clamp down on lax cyber security, two EU-spearheaded initiatives are soon to be incorporated into UK law. The new Network and Information Security Directive (NISD) and General Data Protection Regulation (GDPR) – the first of which is due for implementation by 9 May – will help improve cyber security across the retail sector. Despite the nation’s vote to leave the EU, the government has confirmed these regulations will still be enforced.

Existing UK legislation on cyber security states that businesses must keep personal information safe, secure and only used for the purposes stated by the consumer or face fines of up to £500,000. The NISD will ensure that businesses and digital service providers (DSPs) take appropriate security measures and inform the Information Commissioner’s Office (ICO) in instances of a data breach.

The GDPR will fine companies that do not inform customers of intrusion within 72 hours or break any other rule, up to €20 million or four percent of global annual turnover – whichever is the greater amount. There is a lot to lose if retailers do not take sufficient precautions, especially with the risks of GDPR fines as well as the fallout from attacks themselves.

The UK government employs a carrot and stick approach – deciding not to administer any regulation in addition to the GDPR – but instead to incentivise business to invest in cyber security; for example, the government award accreditation for organisations that undertake the Cyber Essentials scheme. This improves company reputation and signals trust and security to customers and shareholders.

Basic security measures are not enough

Retailers must be vigilant to attack. Basic security measures must be in place and employees need to be educated on simple ways to protect against a breach. This can involve teaching staff the dangers of email phishing scams, to emphasising the importance of password security.

However, as cyber crime is more advanced than ever, retailers cannot afford to rely on basic measures such as encryption and password security. DSPs need to actively identify vulnerabilities in their security systems to pinpoint the weaknesses and work stealthily to defend their data from harm.

Furthermore, if retailers do suffer an attack, the crime must be reported to customers and the ICO and an effective PR strategy must be mobilised to minimise damage to the company’s reputation.

Are you prepared for a cyber attack? Take a few minutes to answer GlobalData’s survey and receive a free copy of our results.

Topics in this article: , ,