SentinelOne will be attending the Retail Risk conference in London on March the 23rd
The Retail Risk conference series is attended by more retail risk and loss prevention professionals, around the world, than any other. Since its inception 14 years ago Retail Risk – London has become a mecca for senior retail risk and loss prevention professionals and is firmly established as the biggest retail risk and loss prevention conference in Europe.
In addition to exhibiting, SentinelOne will be delivering a Masterclass session where we will outline some of the current threat tactics in the retail space, and disclose some of the cybercriminal activity, under the Chatham House Rule. The recently created advert below is to a stolen credit card information web-site and reflects the speed at which criminal gangs are able to adapt to change and circumstance.
The retail sector has gone through an enormous learning curve in how to deal with the risks from the incredible levels of cyber-attacks they face. Cyber Risk is now the principal risk in the retail space, according to bdo.com in their 2016 retail risk report. Other surveys of retail companies record huge increases in budget to deal with the escalating problem. The PWC retail report, found on average a 67% increase in cyber security spending taking the retail sector from rudimentary security implementations to boardroom led, based on best practice risk management, with sophisticated continuous vigilance technology planned by many of the top retailers. These findings are mirrored by the activity of the UK´s leading retailers.
Tesco´s are strengthening the data-related controls as part of a significant IT security improvement program. The strengthening includes enhanced information security policies and governance, review of defense measures against attacks and continued migration away from unsupported systems. A Group-wide, comprehensive privacy compliance program is being developed, which covers governance, risk assessment, policies and processes, training, incident management, monitoring and review. This is designed to drive the right behaviours and ensure obligations are met with regards to the handling of personal data.
Over at Kingfisher, directors are briefed on cyber risks at board and committee meetings. The Kingfisher board recognises that cyber-crime continues to be a threat to all businesses and has ensured that additional investment has been made during the year with the recruitment of a Chief Information Security Officer, the building out of the IT Security team and additional capital expenditure on the information security infrastructure to upgrade and strengthen systems. Cyber risk will continue to be reviewed by the committee at least bi-annually.
The appointment of CISO´s in retail to bridge the gap between IT and business is becoming increasingly more common.
In April 2015, Sainsbury appointed a Chief Information Security Officer to further develop the Information Security Strategy and build the necessary capability to deliver against that strategy. A Data Governance Committee is established and is supported by focused working groups looking at the management of colleague data, customer data, information security, commercial data and awareness and training. Senior appointments have been made into new roles specifically focused on Data Governance and Information Security. Various information security policies and standards are in place which focus on encryption, network security, access controls, system security, data protection and information handling.
However, it’s not just the level of threat activity driving the investments in risk management strategies, the potential of high fines from looming new laws are also forcing boardrooms to address cyber security risks.
Morrison´s believe in increased regulation and financial penalties, in addition to increased incidents of cyber-attacks on corporates has led to the increase in this risk. They have an Information Management Steering Group which has the responsibility for overseeing data management practices, policies, awareness and training; Information security policies and procedures are in place, including encryption, network security, systems access and data protection; and this is supported by ongoing monitoring, reporting and rectification of vulnerabilities.
The market leaders are already planning for GDPR.
Boots are no stranger to cyber threat and regulatory concern, and they highlight that the regulatory environment surrounding information security and privacy is increasingly demanding. For example, in May 2016 the General Data Protection Regulation was formally published in the Journal of the European Union and comes into effect in May 2018. Complying with these and other changing requirements could cause Boots to incur substantial cost. They deploy a layered approach to address information security threats and vulnerabilities designed to protect confidential information against data security breaches.
With a best practice approach to security, they are aware that measures may be undermined due to the actions of outside parties, employee error, malfeasance, or otherwise, and, as a result, an unauthorized party may obtain access to data systems and misappropriate business and personal information. Because the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not immediately produce signs of intrusion, they may be unable to anticipate these techniques or to implement adequate preventative measures. Any such breach or unauthorized access could result in significant legal and financial exposure, damage to reputation, and potentially have a material adverse effect on business operations, financial condition and results of operations.
This is enlightened reasoning by Boots. Layered security and constant vigilance are required to reinforce the investments in their preventative measures which may or may not be adequate at anticipating the type of intrusion at the time of intrusion?
Checkout our whitepaper on how “Retailers are undergoing a transformational shift in how they store, access and protect customer records and transactions.
Make sure to stop by the SentinelOne masterclass to find out about the diverse threat vectors causing unauthorized access in the retail sector.