Cybercrime and the retail industry: How to protect your shop
A version of this article was originally published in October 2021.
There may once have been a time when the only crime that retail businesses were particularly vulnerable to was shoplifting from physical stores. While this sort of theft in the UK has risen to the highest level in 20 years, sadly, this isn't the only threat facing UK retailers.
As technology advances and the world becomes increasingly digitally interconnected and technology-dependent, cybercrime is fast emerging as a major threat to retail.
The threat of retail cybercrime
A prevailing conception amongst many members of the public is that cybercrimes such as hacking and the use of ransomware only tend to target large corporations and major institutions who can afford to pay significant extortion demands.
However, it's estimated that 46% of all cyber breaches affect companies with less than 1,000 employees. According to government statistics, an estimated 22% of businesses in the UK experienced a cyber attack in the last 12 months.
The world of cybercrime is fast-evolving, and even businesses with the best intentions to secure their systems can lag behind the curve when it comes to being effectively protected, but this comes at a cost. The National Crime Agency explains:
Cyber attacks are financially devastating and disrupting and upsetting to people and businesses. They undermine the economic stability of the UK and cost the UK economy millions of pounds each year.
So, what are the risks posed to retailers by cybercrime, and most importantly, what can you do to protect your business?
Point of sale (POS) attacks
What are POS attacks?
In an increasingly cashless age, one thing that just about all retailers have in common is the use of a card payment system, for both credit and debit cards.
Card payment systems may have streamlined the sales process, but they've also brought opportunities for cyber criminals to target retailers.
15% of people in 2024 no longer carry cash, with most transactions now paid by card. Online or in store, the point of sale exists in a digital space.
How can my business be affected?
Cyber criminals target card payment systems, both online and offline to steal customers’ private card details using a variety of methods, including:
- Malware and spyware: Usually downloaded onto a computer through a phishing email, these malicious softwares steal private card details from a user as they engage in online shopping
- Skimming: A low-fi method by which a criminal physically attaches a device to a point-of-sale device such as a card reader, cloning the card details
- RFID Skimming: Utilising the technology that allows contactless payment, criminals use devices enabled with near-field communications to steal unencrypted card information from unsuspecting shoppers
Instore vs online threats
The COVID-19 pandemic saw a large-scale rush on behalf of businesses to move their retail sales online, with consumers staying away from bricks-and-mortar stores. As a result, online retail sales increased by 48% during the height of the pandemic.
At the same time, Techrepublic reported that cyber crime against retail businesses rose by 41% during this time.
Since the pandemic, we've seen a slow return to in-person shopping, with clothes being the biggest draw for customers to hit the shops. According to fashion retailer Julie Lavington:
Post-Covid, we’ve seen customers want to be able to shop everywhere. They want to go to stores, they want to shop online.
While it is easy to see some correlation between the rise in online shopping and the increase in cyber attacks against retailers, the threat of cyber crime is just as real for businesses that run physical stores, as it is for ecommerce retailers.
But there are certain differences between how in-store and ecommerce retailers should approach cyber risk mitigation.
Because of tactics such as card skimming and RFID skimming, bricks-and-mortar shops are particularly at risk of point of sale attacks, especially if they use unsecured wifi networks.
Online ecommerce retailers, conversely, are more likely to find themselves at risk of ransomware extortion because of the more extensive digital structure needed to support an online store.
The larger an ecommerce retailer’s website and customer base, the more data exists to potentially be encrypted by criminals using ransomware.
Ransomware
What is ransomware?
In point-of-sale attacks that target card payment systems, the object of the attack is to steal data that is intrinsically valuable to the criminal, such as customers’ private card details.
With ransomware attacks, criminals use a type of malicious software that encrypts victims’ data, allowing cyber criminals to demand extortion payments in exchange for releasing the data.
The data in question here is often not necessarily directly valuable to the criminal, but is of such value to a business that owners are willing to pay for its release.
Why should I care?
There is a common misconception that ransomware is primarily an issue that affects large corporations and government-level organisations with the capital and insurance policies in place to pay eye-wateringly large sums to unlock their data. This, however, is not an accurate reflection of the ransomware threat.
According to Sophos’ State of Ransomware in Retail 2024 report, 45% of retail businesses were hit by a ransomware attack in 2024, with more than half of those attacks succeeding in encrypting their data.
The reality is that small businesses and retailers are routinely targeted by cyber criminals using ransomware, with a higher percentage of attacks successfully encrypting data of victims in the retail sector than in any other industry.
How can my business be affected?
The principle ways in which your retail business may become the victim of a ransomware attack include:
- Removable media: Devices such as USB flash drives can be injected with malicious software which, when plugged into your device can deploy ransomware to your entire network
- Remote desktop protocol: This is the protocol that allows IT administrators to remotely access systems. Cybercriminals can crack login credentials and impersonate administrators to deploy ransomware
- Phishing: A more traditional form of infiltration where the malicious software infiltrates a machine and a business’ entire system via a link or attachment in a phishing email
What can retail businesses do to avoid risk?
Employee training
Unlike office-based businesses, small retailers may think that the nature of their business makes them less likely to be targeted by cyber criminals via email phishing.
Quite the opposite is true. Because small retailers are less likely to be adequately protected against cyber attacks, they're seen as easy targets for cyber criminals.
In instances of social engineering, cyber criminals rely on human error to attack a business’ systems. By impersonating suppliers, employees or other authority figures inside your business, cyber criminals send phishing emails that, if clicked on, can install malicious software (malware) on your business’ systems, potentially compromising sensitive information.
Every business, however large or small, should routinely train employees to recognise the most common and recent phishing scams, as well as the tell-tale signs of a fraudulent email:
- Requests for payment for an outstanding invoice or debt
- Poor spelling or grammar and unprofessional language
- Suspicious attachments
- A countdown or time-limited sense of urgency (eg. “You have 24 hours to provide this information or your account will be closed”)
- Generic greeting style, ie. a greeting that does not address you or your business by name
- The email coming from an off-brand or incorrect address
In a small retail business with only a handful of employees, it should be relatively easy to confirm if an email purporting to be from another employee is genuine, but this task becomes harder for larger shops or chains, with multiple branches and an online presence.
Vigilance is key and anti-phishing training can help reduce your retail business’ risk of exposure.
Insurance
As the owner of a retail business, there are several different types of insurance that can benefit your company and are designed to support you with the various risks associated with trading.
Whether it is the legal requirement of employers’ liability insurance, or product liability insurance to protect your retail business against compensation claims because of faulty or dangerous stock, many small retailers understand the value of comprehensive insurance.
Amongst the range of policies that retailers often take out to protect the whole of their business are:
- Business contents insurance: designed to cover your electronic equipment on site, as well as your stock, against loss, theft or damage
- Business interruption insurance: built to cover unexpected stoppages in your business activity, so your cash flow isn't affected by unforeseen downtime
- Public liability insurance: designed to protects your business against claims made by members of the public because of injury or property damage in your retail premises
Policies such as these can go a long way to protecting your business, but we live in a digital world and this can present a large area of additional risk.
When it comes to cyber threats, many businesses see cyber cover as an unnecessary expense and are not adequately insured against the risk of cyber attack.
Research from Aviva found that just 17% of businesses in the UK have cyber cover, and that businesses are 67% more likely to have experienced a cyber breach than physical theft.
This lag between the threat posed and the number of businesses covered means that more and more small enterprises are at serious risk.
To counter this, Superscript offers an extensive cyber insurance policy, designed to cover any business operating online or is exposed to the internet.
A cyber policy can protect your business for specific cyber risks, including:
- Accidental privacy breaches
- Business interruption
- Hacking, extortion and ransomware
- Lost income and restoring data
- Malware
- Denial-of-Service attacks
- PCI DSS compliance
- Cybercrime
Ensure you are PCI DSS compliant
As any shop owner who accepts card payments should know, there are stringent rules and guidelines set out by the leading card issuers, known as the Payment Card Industry Data Security Standard (PCI DSS), designed to help keep customers’ private card details secure.
Breaches of the PCI DSS can lead to fines of between £3,000 and £60,000, so actively ensuring your card system is secure can offer you and your customers peace of mind and potentially save you money in the longer term.
When it comes to ensuring your business is PCI DSS compliant, you firstly need to know which of the four compliance level your business fits into:
- Level 1: Businesses processing over 6 million card transactions annually
- Level 2: Businesses processing between 1 and 6 million transactions annually
- Level 3: Businesses processing between 20,000 and 1 million transactions annually
- Level 4: Businesses processing fewer than 20,000 transactions annually
Under this framework, most smaller retail businesses will fit into levels 3 or 4 of the framework and are therefore entitled to become PCI DSS compliant by filling in a self assessment questionnaire.
Level 2 businesses can also file a self assessment questionnaire, while businesses in level 1 require an external audit performed by a Qualified Security Assessor (QSA).
Back up data on alternative servers
In the case of a ransomware attack on your business, even with comprehensive cyber insurance in place to cover extortion payments, backing up your data is still hugely important.
Research has found that retail businesses that paid a ransom demand managed to recover, on average, roughly two-thirds (60%) of the data that was initially lost.
Sophos’ report on ransomware in retail also found that more than half (66%) of retailers who were successfully attacked by ransomware managed to restore their data from backups.
Businesses are recommended to keep two backups of their valuable data on separate systems, ideally with one of those systems being off-site or offline. That way, if your data is encrypted by ransomware, your business activities will be less likely to be disrupted and you can continue to trade.
You may also like
Was this article useful?
We're here to make complex information easier for businesses to understand.
This content has been created for general information purposes and should not be taken as formal advice. Read our full disclaimer.
We've made buying insurance simple. Get started.
- 19 July 20242 minute read
What to do when you face a system outage
When a third-party system outage causes your business issues, cyber insurance could reimburse the income you lose. Read how.
- 15 July 20244 minute read
Boosting your independent retailer business
Looking to maximise your retail business? Check out these tips to boost your independent retail business and stay ahead of the curve.
- 01 July 20247 minute read
Opening a shop: 6 startup costs to consider
From rent to insurance and stock inventories to marketing, here are the main areas to consider when working out the cost of opening a new shop.
