‘After M&S’ cyber attack, these are the security questions retailers must ask themselves’

Board and investor discussions will be rife across retail following recent events in the cybersecurity space. They’ll be asking how exposed their business would be should the worst happen. They will have phoned their chief technology officers or chief information security officers and asked: “Are we ok?”

The answer may well be: “Yes, we have layers of software, unbreakable firewalls. We subscribe to these services, maintain these databases and we’re in great shape, but of course we will always be vulnerable.” No CTO or CISO will ever say “we can’t be hacked.”

Many see cyber as a technology problem, but it’s a process and a business problem. It’s not about having the latest firewalls, it’s about whether you have effective processes and robust change controls in place.

Do you monitor efficiency and impact? And do you have a strategy that helps you deliver it? Rather than simply asking whether you’re ok, it may be more valuable to establish how to check that you are.

The cyber industry sells technology that promises preventative solutions to worst-case scenarios. But they don’t—and can’t fix everything.

“Cyberattacks are still regularly caused by obvious, preventable things, such as absent or ineffective processes”

When we work with clients, we regularly bypass talk of technology initially. We are often surprised that no one has asked them: “What makes you the money, and what would happen if this product or service was unavailable for 24 hours? What would happen if your data was publicly leaked?”

The impact analysis that follows can rapidly help you to size up the risk of a metaphorical meteor. It’s only then that we would assess the likelihood of such an event based on the security and the technology you have.

Mapping your cyber risk against organisational risk tolerance shows where a function or process may lie. How much damage can be tolerated and how do you move inside that boundary? Do you, for instance, either increase the tolerance or manage the risk? This can move businesses from a position of reactivity to genuine preparation and prevention.

Cyberattacks are still regularly caused by obvious, preventable things, such as absent or ineffective processes, laptops left open that are still signed on, over-simple passwords, or working in public spaces.

Retail is habitually targeted because of the vast pool of payment and customer data and systems that must be available 24/7—it’s the easiest way for hackers to make money.

“A cyber attack on your business is, frankly, inevitable at some point in time, which makes ensuring survivability imperative”

The appeal of the industry to hackers is only heightened by its welcoming physical locations (stores), interconnected supplier bases, data exchanges and legacy tech, all of which can be complex to secure due to a lack of support and knowledge.

As recent events move beyond the initial point of impact to damage mitigation and fall-out management, business leaders from across the industry should take a moment for introspection.

When did they last conduct an end-to-end review of their business processes and an assessment based on financial vulnerability? Cyberattacks are not about the tech, they’re about the business.

Discussion may focus on how to reduce the likelihood of an attack, but they should also include how to reduce its impact. Quantify the risk—is it £50,000 that you can comfortably write off, or £50m? If it’s the latter, a business impact assessment and understanding of how your cyber actions meet that—and your risk requirements—take on a new priority level.

A cyber attack on your business is, frankly, inevitable at some point in time, which makes ensuring survivability imperative.

The executives, board members and investors asking the questions now must remain across the risk reviews, the strengthening of controls, and the monitoring of progress, performance and value. They must be engaged and involved with rehearsals. When—sadly, not if—an attack occurs, they will need to make some big decisions.

How do you do that? You need to make those decisions in advance.