Cyber attacks targeting businesses are on the rise globally, with an estimated 50% increase in 2021 compared to 2020.
This should be of concern to the more than 130,000 retail companies across Australia which, according to PwC, contribute more than $300 billion in revenue to the Australian economy annually. Even more concerning is the focus of cybercriminals on retail and fast-moving consumer goods (FMCG) sector, a problem that exacerbates the challenges already faced by delays within the supply chain.
What can companies in this sector do to mitigate risk?
Higher risk environment
Like all Australian organisations, companies in the retail and FMCG sectors need to be on high alert for cyber attacks. They should advise staff to take extra care and be on the lookout for any suspicious cyber activity.
The Australian Center for Cyber Security recommends adopting an enhanced cyber security posture (ACSC) after the Russian invasion of Ukraine. The ACSC issued a High Alert Status alert and warned of an increased threat of malicious cyber activity that may affect Australian organizations through business interruption or uncontained malicious cyber activity.
Targeting the retail sector and FMCG
One of the reasons this sector is targeted is the vast amount of customer data that is stored, which often includes financial information. This means that cyber attacks can affect more than just business operations. They can create a privacy risk, which can lead to potential third-party liability and reputational damage when an incident occurs. This risk is heightened by COVID-19, with nearly nine in 10 Australian businesses adopting new technology to support business continuity during a sharp rise in online shopping and working from home.
Another reason this sector is being targeted, possibly the biggest risk in the sector, is the reliance on interconnected supply chains. The interruption of one part can have a chain reaction. This risk is increased by the fact that while steps can be taken within a company to ensure the best possible cyber security standards, business operations can be significantly affected by cyber attacks against third parties.
Cyber attacks in the sector
The retail and FMCG sector has suffered some of the largest and most impactful cyber attacks experienced in Australia. Some examples of how cyberattacks have affected the sector include:
- supply chain attacks, where a key cog in the supply of goods is affected, causing a domino effect that significantly disrupts the business operations of multiple companies that depend on the affected company;
- attacks against software vendors, affecting the business operations of companies that rely on the targeted software or as a means of launching a more significant attack;
- attacks on automated ordering systems, requiring manual processing of orders, additional costs to be incurred and leading to product shortages;
- attacks on general IT systems, rendering staff unable to use their computers, materially affecting business operations;
- theft of customer data leading to threats of ransom payment or data being published online; Y
- data breaches that give rise to a legal obligation to notify affected individuals and the Australian Information Commissioner’s Office (and potentially other regulators).
Depending on the size of the business and the severity of the incident, cyberattacks can cost businesses millions of dollars to recover from. They can also have a significant impact on a company’s reputation.
Therefore, it is imperative that companies in this sector understand how a cyber attack could affect their business.
In 2021, the ACSC published guidelines to help companies identify supply chain risk. The ACSC recommends that organizations assess the following risks:
- foreign control or interference – includes foreign governments that control or interfere with businesses in the supply chain;
- bad security practice – includes third-party supply chain cyber security standards, how third parties handle cyber incidents, and how they manage their employees;
- lack of transparency – includes third parties that share information about penetration tests on their network, whether the contracts address cybersecurity standards or the right to an audit, and whether there are product delivery guarantees; Y
- access and privileges – includes whether third parties have access restrictions and privileges associated with the goods or services being offered, whether the sale relies on the Internet, and where the data is stored.
Retail and FMCG companies should discuss these risks with their internal and external IT and legal advisors. While risks cannot be eliminated, it is important to take steps to mitigate the impact these risks can have on business operations and customers.
Considering the current cyber climate and the alert from the ACSC, there has never been a more important time for companies to reassess and strengthen their cybersecurity processes.
Here are some key tips that all Australian organisations, including those in the retail and FMCG sectors, should adopt to strengthen their cyber security.
- Develop a culture of cyber security in your workplace through employee training. Make sure your employees are trained to identify cyber risk, particularly phishing emails and malicious links or documents that arrive via email, and how to escalate suspicious emails to an IT department or vendor. Take regular cybersecurity training and encourage a ‘zero trust’ attitude when it comes to opening attachments or links from suspicious sources and when providing sensitive information.
- Have updated and tested incident response plan. The plan should include step-by-step guidance on what to do if a cyberattack or data breach is suspected. It should include contacting tech support and your attorney and being tested in desktop exercises or simulations. If there is potential liability arising from the cyber attack, your attorney should be able to advise you of your legal and regulatory obligations depending on the situation. Contacting your lawyer immediately may also mean that investigations remain privileged should proceedings be brought against your company at a later date.
- Implement Recommended strengthening network securityincluding at least ACSC’s ‘Essential Eight’. Common sense cybersecurity can materially reduce the legal risks associated with an incident. These measures include, for example, regular backups, a proper firewall, quick patches, up-to-date software, multi-factor authentication enabled, and ideally, endpoint detection and response. Discuss this with internal and external IT experts and resources.
- To understand notification obligations based on privacy legislation and contracts with companies in the supply chain. Before an incident occurs, prepare a schedule that establishes notification obligations with each party in the supply chain. This way, if an incident occurs, you don’t have to work on every contract in the middle of a crisis.
- As a last line of defense, if it hasn’t already been purchased, consider getting cyber insurance. Among other things, cyber insurance can provide coverage for remediation costs against an attack or data breach, incident response costs, vendor costs to provide legal, regulatory, and reputational advice, and business interruption losses. Talk to your insurance broker or attorney to discuss what is required to obtain cyber insurance and comply with the terms of any cyber insurance policy.