21 November 2023
Nieuws
0 reacties
44x viewed
Cyber risks in retail and wholesale
Many retailers and wholesalers have had difficult years. The pandemic caused a lot of disruption while digitalization has also continued to increase. That digitalization brought revenue growth in many cases, but it also creates a risk not to be underestimated: cybercrime. One wrong mouse click can have major consequences. Yet many entrepreneurs are unaware of this while tens of thousands of SMEs are active in these sectors. Cybercriminals can shoot their malware across the Web, looking for backdoors. That also makes independent retailers a potential target.
This article previously appeared at: www.retailtrends.nl. Image: stock photo.
In September 2023, the Vedis knowledge session on cybersecurity took place at Nijenrode Business University. Cybersecurity is pretty un(reachable). It doesn't actually exist. In fact, you can never guarantee that your company is 100 percent safe from every possible risk. What you can do, however, is focus on protecting the highest-value assets.
As a business owner in the dynamic retail and wholesale industry, you don't really want to be overly concerned with this issue. You want to focus on what matters most: selling your product or service and helping people with it. To achieve that, you make a plan and set goals. You measure performance and see how certain items are running. You also look at whether you have enough staff and whether they are in the right place. When you look at cybersecurity with those same glasses, you find out that the approach to this is actually not that much different. And it doesn't have to be expensive.
Challenging conditions
.Many business owners' gross profits are under pressure now more than ever due to increased purchasing costs combined with increased personnel costs, energy costs and double-digit rent increases. Tax liabilities were, until recently, a low priority for business owners who preferred to pay suppliers and landlords first, but that is over. As a result, many businesses' liquidity space is tightening sharply as aid received or deferred taxes must be repaid. So as a retailer or wholesaler, you have something else on your mind besides new privacy and security regulations.
Nevertheless, business goals, privacy goals and security goals often go hand in hand. Non-compliance and insecure systems can cost millions in fines and lost revenue. The sheer volume of risks and products makes it difficult to make decisions about which cybersecurity solution is best. Most often only offer a solution for 1 small aspect, such as single end-point security. Therefore, it is important to address cybersecurity as a strategic topic within your company. The goal is to get an overview of the main risks after which the cyber strategy can be translated to the operational level and corresponding solutions.
Take cyber risks seriously
.There is every reason to take cybercrime seriously. Especially since stores and wholesalers are becoming increasingly "digital. The trend in both sectors is omnichannel customer contact. Where there used to be one point of contact with the customer, the physical store, as a retailer but also as a wholesaler you now have so-called 'online touchpoints' everywhere, such as mobile apps, websites and large online platforms. This is good for sales and visibility with customers, but a digital risk for business processes. It makes entrepreneurs extremely dependent on digitalization while we often see a lack of knowledge about good IT security.
A lot has also changed in terms of inventory management. Where almost all retailers used to buy their stuff and have it delivered, more and more entrepreneurs now work together with brands or wholesalers from one central inventory system. This then means that you are more dependent on such a digitized solution. If that system goes down, you can't sell anything anymore. So the battle in efficiency also brings new risks.
From phishing to data breaches
.A cyber attack can affect the entire chain, from supplier to customer. Research by INretail shows that more than 70 percent of retailers have come into contact with online crime on occasion. These include:
- Ransomware: This is a form of malware, an infected piece of software that serves as a weapon. This encrypts and locks down your IT system, making it suddenly impossible to open files. Upon payment, the other party promises to unlock your IT system again.
- Phishing: A store employee accidentally clicks on a link or opens an infected email attachment. This is how criminals manage to access and steal confidential data, extract money or install malware such as ransomware. As many as 91 percent of data breaches start with a phishing email.
- Data breach: A poorly secured server or successful phishing attack suddenly puts customers' personal data out on the street. This can lead to reputational damage and loss of customer confidence in your company. Moreover, you have a duty to report the attack to your customers and the Personal Data Authority. Do you fail to do this? Then you could face a hefty fine.
- Baiting: A hacker tries to entice someone with a false promise. For example, by leaving a usb-stick with the promise that the finder will receive a sum of money. When the finder plugs the usb-stick into his computer to find out the owner, malware is automatically installed.
4 insights around 'zero trust'
Never trust, always verify. That's the essence of zero trust. While internal processes are often trusted as a matter of course, this new standard distrusts all ones and zeros in the digital domain. In addition to this strong premise, it helps to think of "protect surfaces" rather than "attack surfaces. Sound complicated? We'll explain.
Instead of trying to protect everything from all possible attacks, first determine what is important to your business and focus your efforts there. Inherent in zero trust is the practice of assigning minimal digital permissions to all employees. In addition, an extra step is added when major changes are made. Finally, it's good to trust people, but it's better to maintain control.
Solutions to strengthen information security
.The essential element in preventing security problems such as hacks is process hygiene. These are measures that ensure you are in control. It starts at the door, with access management. Who has access to a system? Why do they have that access and for what exactly? Until when, at what time and in what way? It is also advisable to create separation in your IT infrastructure so that the most important, critical systems are separate. This way, a hacker cannot walk from one system to another once they are in. Next, configuration management can help ensure that systems meet the latest standards. Lastly, it is important to monitor all critical systems 24 hours a day, 365 days a year for abnormal behavior and discover and reinforce possible weaknesses.
4 take-aways
First, it is important to know what your goals are, what assets are most valuable and what risks are related to them. Second, the measures you take to protect those assets must be commensurate with to the risks. In addition to this so-called "protect thinking," it is crucial that you know exactly what legislation applies to your business. Finally, it is good if you yourself know that your company is digitally in control, but you must also be able to demonstrate that to others. A proactive "in control statement" is the solution for this. This last takeaway is the most important. The other three are prerequisites for making the 'in control statement' the right way.
To ask the right questions
.As an entrepreneur, you are constantly asking yourself questions about your business processes. What are my goals? What sells best? What can we do better? You can also ask similar questions about your digital security around ensuring the quality, reliability and security of your digital systems, software and processes.
- What goals have we set for ourselves when it comes to information risk, security and assurance?. - What are our highly valued assets? In short, what is a priority to protect? - What lessons are we learning from the past 12 months and what can we do better? - How do we measure our Information Security around ensuring the confidentiality, integrity, availability and authenticity of that information (including that of our supply chain) and how does that contribute to our business goals? - How do we use our IT investments and how do we measure that?
Protect against attacks
.Whether you are a large company or a small SME with a few people on the payroll, cybercriminals make no distinction. Therefore, as a retailer or wholesaler, you must continue to invest in digital security. You do this, for example, by: - Training employees on awareness of cyber incidents and cybersecurity. In more than 90 percent of cyber incidents go wrong because of human actions. Employees click on an infected link or access files that should be more secure. Programs that address these risks are therefore very important. - Use strong passwords or password phrases, preferably in combination with multiple authentication. This is after logging in with a username and password, an additional verification moment in the form of a text message, for example. - Having clarity on who is responsible for all IT-related matters, such as access management, cybersecurity and incident policies. - Encrypting confidential and personal information. - Establishing an incident policy so you know what to do in the event of an attack. - Backing up at least once a month and storing it off your network, preferably offline. Also, don't forget to test this backup. - Installing permanent antivirus software and a firewall. - Performing updates - where possible - regularly and by "patching" systems and applications. This is a kind of APK for software.
Insuring risk
Discussing cyber risks is also becoming increasingly important from a financing perspective. This is because companies are increasingly dependent on technology and the Internet, putting them at greater risk of cyber attacks and data breaches. Cyber insurance helps mitigate the costs and consequences of these incidents. Cyber incidents can have a major impact and (in)directly lead to financial and reputational damage for organizations. For example, incurring additional costs for restoring files/documents and hiring an expert (IT, PR, Legal). But also loss of revenue due to business downtime, fines as a result of an incident and liability claims from third parties.
The occurrence of cyber risks can be divided into 3 main causes:
- Operational system failures without malicious intent; - An outside attack (e.g., ransomware, malware, a virus, DDoS attack); - Human action, intentional or unintentional (e.g., sending email to wrong recipient, outage due to failed update, loss of laptop with confidential information);
The damage from cyber risks can have a huge impact. Cyber risks are as palpable to businesses and organizations today as the loss of physical assets AND the likelihood of an incident is significantly higher. No matter how well organizations are secured, in practice every organization proves vulnerable to the risks associated with using computer systems. Investing in preventing cyber incidents is the basis, insuring against cyber risks is the capstone.