If there is one key take-away from the pandemic as far as customer-facing businesses are concerned, it is the absolute necessity to be prepared for rapid and significant change.
With the closing of retailer doors almost overnight, to short notice of re-opening again, many organisations suffered irreparable damage and were forced to permanently close.
So how can having a strong resilience plan that supports retail organisations help, and what does it have to do with security?
Security planning must cover both cyber and physical threats
Securing estates, both physical and cyber, is at the core of retail security. However, as there has been a stark increase in online sales (and especially via retail apps – up 55% since January 2020), many businesses have been forced to turn their attention not only to physical stock but to their organisation from a cyber perspective as well.
As with any risk management exercise, assessing the risk to assets must include those that have potential to be impacted by cyber-attacks. These can include loss of key personal data, theft of intellectual property, or Denial-of-Service attacks which can cause significant service disruption (and therefore, financial loss). There are so many resources available to businesses of all sizes, and a core priority for the National Cyber Security Centre is to make these resources as accessible as possible to all organisations.
According to the British Retail Consortium in their 2021 Retail Crime Survey:
“Just under 40% of retailers regard cyber attacks as a top three issue. Since 2017 nobody has reported a decrease in attacks and over the last year 54% reported an increase.” (https://brc.org.uk/news/operations/crime-survey-2021)
Cyber attacks on all areas of retail – including the supply chain and distribution routes – are on the increase, and yet 60% of surveyed retailers do not consider cyber-attacks as a priority. This must change if there is to be effective resilience plans in place for the immediate future.
Assessing a different type of risk
Human-operated ransomware attacks are one of the fastest-growing threats to the retail industry. Traditionally, these ransomware attacks were targeted at organisations who had significant available resources and funds to ‘pay off’ those posing a threat.
Since the focus of retail has shifted through the pandemic to digital markets, click-and-collect operations, and online applications taking orders and managing accounts, it is the small and medium-sized businesses who are now faced with targeted ransomware attacks designed to not only cause disruption of services but also to profit from the organisation targeted.
Robust risk assessment methodology brings into the open the many ways an organisation can be damaged and seeks to create a clear route to mitigating these risks.
Risk presented in the form of retail security primarily focuses on loss prevention, but it should also now consider the threats as they present themselves mid-pandemic and moving into an era where change can occur almost instantly, unexpectedly – and it is the retail sector who have experienced this more than most. It is not irresponsible to assume this will continue for the years to come.
Appropriate training is essential
Training retail workers on areas of retail security that directly affect them will help to support loss prevention plans. But how effective will the training be without the learner having the chance to put into practice – in a safe environment – what they have learnt? How often are theoretical operating procedures tested in situ?
This is a key area that retailers should focus on when putting their plans in place – the practical application of theory learnt during training. This is not limited to staff working in-store, it is also essential for electronic systems to be tested in their ability to protect the assets they are designed to hold.
With the emergence of virtual learning and the development in technology for online learning, staff across all levels and locations can now benefit from training in a flexible way, enabling more people to gain the essential knowledge and skills they need to meet the requirements of their business.
If training is driven by the needs highlighted during the risk assessment and management process, then the organisation is demonstrating their proactivity and ability to safeguard staff, reduce the risks to the business, and help to develop a growth-mindset with the team. This is all enhanced when the training delivered is engaging, relevant and specific to the sector and particular issues experienced within that sector.
Looking ahead
The landscape for the retail sector looks positive, turbulent, and full of opportunity. The requirement to engage with consumers, offer convenient ways to browse and purchase, and do so securely has never been greater. That said, all the ‘traditional’ challenges of theft, insider threat, supply chain issues, product competition and a fluctuating economy remain – so where do security managers go to develop their security strategy to meet these challenges?
Security membership organisations such as the Security Institute are there for the purpose of supporting the security sector and are there to inspire, guide and develop those within security roles, making available the resources for them to utilise. These include best-practice guidance, legislative changes, and insight to events on the horizon that may affect the security sector.
It is the progressive, forward-thinking security manager that understands their responsibility to continue to keep up-to-date with the ever-evolving retail security threat landscape in order to maintain best practice and security strategy.
– Sarah Hayward-Turton, Director of Sales and Marketing PerpetuityARC Training