How can retailers defend themselves against rising ransomware attacks?

A spate of cyber-attacks on UK retailers underlines the importance of having CIO-level talent in place.

M&S, Co-op and Harrods are among the retailers hit by cyber-attacks in recent weeks. The ransomware attack on M&S compromised personal data, disrupted contactless payments and brought online orders to a halt. It was six weeks until M&S could resume internet orders and it is estimated that the cyber-attack will hit profits to the tune of £300 million this year.

Co-op stores were still struggling with empty shelves weeks after a cyber-attack that prompted it to shut down some of its IT systems to contain the damage after the theft of some customer and employee data. It has been a torrid time for those wrestling with the fallout.

Unfortunately, major cyber-security threats continue to increase. Research points to a doubling in the number of disruptive and destructive global cyber-attacks over a four-year period.

The National Cyber Security Centre warned in response to the wave of incidents impacting retailers: “Criminal activity online – including, but not limited to, ransomware and data extortion – is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared.” 

Investment in senior tech talent is a critical aspect of cyber-defence. Organisations should ensure they have a CIO or CISO in place to help keep attackers out — or to contain any damage and respond/recover should defences be breached.

In an illuminating article earlier this month, Professor Alexander Evans, Associate Dean of the LSE School of Public Policy and former Director Cyber in the Foreign Office, called for a new approach to corporate governance on cyber. He lamented the fact that CIOs or CTOs are rarely board members or on Executive Committees, an omission which makes little sense given the scale of financial, operational and reputational risk linked to cyber-attacks.

Professor Evans posed an interesting question. Should the UK mandate a new board-level obligation for all medium and large firms in the form of a Chief Cyber Risk Officer (CCRO)? 

We certainly concur on the wisdom of bringing more cyber expertise into the boardroom. Organisations should fully appreciate the risks they face and be well-prepared to respond.

One of our interim candidates – let’s call him or her Sam – was IT director at a UK retailer several years ago when it suffered a ransomware attack. The problem came to light when warehouse staff were unable to access their PCs. Instead, they were confronted with a ransom demand for $3 million in bitcoin.

The business could still take online orders but was not in a position to fulfil them. And in the early stage of the attack, it was hard to get a handle on the extent of the infiltration.

“The only way that cyber criminals can infiltrate is because people are the weakest link,” says Sam. “Once they find that first route in, they basically will keep elevating their mission, their administration, access and the privileges, because they find people logging in that they can exploit. You can put whatever security software in place that you want, criminals will find a way around it.”

Sam brought in external help on forensics and cloud migration. One set of daily incremental back-ups was found to be encrypted for the ransomware. This set was destroyed and the rest of the backed-up data was protected by being disconnected from other systems. Thankfully, the team was able to get the systems up and running again without paying a ransom. But there was still a lot to do.

“It's not just about the recovery of the systems,” says Sam. “It's also about making sure what was lost or not lost during that period of time, because that could have a big financial impact in terms of ICO fines for data breaches.”

Sam offers two important pieces of cyber-security advice. First, ensure you have off-site backups that you can recover from. Second, secure your FTP connectivity with your suppliers – some legacy systems may be vulnerable due to basic security that is just a username and password, which may not have been changed for years!

Attacks on retailers by cyber criminals are escalating. CIO talent will often make the difference between a good or a terrible outcome.

By Daniel Wood and Zoe Wakeham