The impact of cybersecurity on the apparel industry     

The matrix below details the areas in cybersecurity where retailers should be focusing their time and resources. We suggest that retailers invest in technologies that are shaded in green, explore the prospect of investing in technologies shaded in yellow, and ignore areas shaded in red.

Framework, cybersecurity risk management falls under governance responsibilities for businesses. A retailer must ensure that their business is well protected against cyber threats and can safeguard the privacy of their consumers’ data. An important component of this is protecting personal consumer data like their address, financial information, and other PII. 

Cyberattacks are a component of ‘hacktivism’ whereby hackers disrupt a retailer’s online platform rendering it unusable. Motivations for targeting retailers range from protesting a company’s product (i.e., vegan hackers would target a company specialising in animal products) to specific corporate policies. These attacks are less sophisticated than ransomware attacks and aim primarily for disruption. These attacks often involve defacing a company’s website, akin to graffitiing the entrance of a store, as well as spamming a company’s website via bots to overload the system and shut down their online operations—also known as Distributed Denial of Service (DDoS). 

Hacktivism has been on the rise in recent years. In March 2022, hacker group Anonymous decided to target companies that were not pulling out of Russia fast enough in the outbreak of the Ukraine-Russo conflict. The hackers targeted retailers such as Auchan, Decathlon, and Leroy Merlin with DDoS attacks after the retailers were slow in halting operations in Russia. 

Source: GlobalData Thematic Intelligence

All aspects of retail are being digitalised—from the initial manufacturing of products in the warehouses to the customer who pays for the product with a contactless credit card in stores, via mobile apps, or online. In store, the process of purchasing products has gone almost completely digital. According to the European Payments Landscape in 2030 report, published in 2021, 89% of respondents said that they either frequently or sometimes use contactless cards. 57% had used mobile wallets such as Apple or Samsung Pay. PoS devices involved in financial transactions need to be protected, as they are the most vulnerable. Hackers are primarily interested in financial data and personal details they can sell. 

Endpoint security can help reduce risks associated with contactless payment systems. Emerging biometric payment systems (like using fingerprints or facial recognition systems to pay) promise to be safer. Credit card details can be obtained easily – using someone’s unique facial or hand features would prove more difficult for hackers. 

Collaboration tools and cloud systems allow retail employees to work more flexibly from home. However, these tools also present a vulnerability for retailers. Those working from home need to be able to work on secure networks. It is now more common for hackers to download malware into employee laptops through phishing emails, which gives them access to the company network and sensitive data. Corporate IT is less able to assist someone working from home or control their actions, devices, and software. 

It is important, therefore, to ensure that employees are taught cybersecurity housekeeping skills so they can identify cybersecurity risks, such as phishing emails. Software needs to be updated regularly with antivirus protections to reduce cyber risks that come with working from home. 

A year after the Colonial Pipeline ransomware attack in the US, which took place in May 2021, cyber-risks to critical national infrastructure and businesses remain. Cybersecurity attacks are a new tool in the arsenal of nation states who want to undermine the IT infrastructure of another. This has an impact on retailers who may be caught in the crossfire. 

IoT devices are very vulnerable to cybersecurity risks employing robots, sensors in cameras, and other connected devices will have to do regular security checks on these devices. Networks protected by third-party tech providers are also not immune to cyberattacks. For example, the Kaseya ransomware attack led to the Swedish supermarket chain Coop closing 500 stores (cash registers no longer functioned due to what was dubbed an IT attack). This attack was orchestrated by REvil targeting managed service providers, in this case, Kaseya, and their customers in a massive supply chain attack. It is likely that in the future, cyberattacks will be used as a weapon, impacting high-profile retail chains. 

According to GlobalData market forecasts, global online retail sales are expected to reach approximately $5tr worldwide by the end of 2026. Covid-19 accelerated the trend toward shopping online, with many people stuck in lockdown globally. This online shift means that retailers are carrying more sensitive consumer data than ever before. The need to carefully protect and manage this data cannot be understated. Many global retail companies have experienced a data breach in the last decade and forked out millions in settlements as a result. Home Depot paid out a least $134.5m to credit-card companies in 2014 following a huge data breach that exposed the financial information of over 50 million customers. This was one of the largest settlements paid out in retail history. 

Security teams need to manage vast IT and OT systems to cope with more operations going online. It is not enough to perform manual checks. Security checks on IT and OT systems should also include automated, AI-powered systems. Hackers who manage to get hold of consumer data can deceive those same customers by creating phishing emails (e.g., fake online receipts) to lure them into downloading malware onto their devices and stealing personal and financial data. Employees must also receive training to manage online platforms and identify threats to the network.