Strengthening Retail’s Resilience Against Ransomware

By Ashok Rutthan, Chief information security officer at Massmart

Organizations of every size and sector are experiencing a rising tide of ransomware attacks, resulting in the collective global loss of billions of dollars and untold brand damage. Leaders are learning first hand the ways ransomware has become a scourge on smooth operations and financial well-being. Nowhere is this more true than in retail, where ransomware represents a unique set of challenges and risks. For retailers, becoming more resilient in the face of ransomware is paramount.

Why Ransomware Presents Significant Challenges for Retail

In contrast to most industries, retail organizations are multi-site and multi-channel in nature, which means there are many more points of entry for ransomware attacks. Retail operation also embodies an extraordinarily diverse set of endpoints, above and beyond traditional computer endpoints, such as item-level RFID-based packages and pallets, vehicle-mounted computers, handheld scan-based computers, smart shelves, IP cameras and more. It’s a massive surface to protect.

Additionally, retailers are challenged by the fact that many employees using technology devices and services are non-technical staff. In fact, that’s often a retailer’s weakest point—its own user base. Retail employees are there to sell the candy, clothes, or canned food, not be IT or InfoSec specialists. So retailers have the challenge of properly training a large number of full-time, part-time and seasonal staff, to ensure every employee is aware of risks and how to avoid them.

But probably the single biggest factor that makes ransomware a challenge in retailing compared to other industries is retailers’ single-minded focus on our consumer. We are well aware of what happens when a ransomware attack compromises consumers’ identity and other personal, private information. Once we retailers lose a customer for any reason, they’re likely to be gone for a long time. Not only that, but we lose that customer to a direct competitor, making it a double hit. Even if we are fortunate enough to regain customers’ trust, doing so is an expensive re-acquisition effort; it’s well documented that regaining a lost customer costs many times more than acquiring a new one.

Add to all of these considerations a stark fact: Retailing is tied with public education as the industry most targeted by ransomware attacks. According to research from Unit42, the average business downtime caused by a ransomware attack in 2021 is 23 days, and the cost of downtime is estimated at 50 times the initial ransom demand.

How Retailers Can Become More Resilient Against Ransomware

First, it’s essential that retailers practice their responses to an attack; our company continuously does tabletop learning exercises. What you often discover in those exercises is that members of your executive team or board may need to be educated on cybersecurity technology and best practices.

This c-level education is important, but it’s also challenging. There are a thousand things going across executives’ minds at any moment in time—strategy, operations, running the business. When you bring something as technical as cybersecurity to top leaders, they may simply shut down because of everything else on their minds. This is an important communication challenge to overcome. You can do it by speaking the language of business.

Beyond educating your leaders on good cyber hygiene, ensure they understand the impact of a ransomware attack on the business. That understanding helps to drive greater investment— figuratively and literally—because they know the true cost of a breach. One thing that all executives and board members understand is the concept of risk, so I like to lean into that bias by helping them understand their responsibility in the event of an incident. Once they see everything in a familiar risk context, they often instinctively ask, “What can I do to help you?”

It’s also important for leaders in your organization not to fall into a false sense of comfort and think the information security team or the IT organization has it all covered. It’s not. We are there to make sure the organization, employees, business partners and customers are protected. We are there to manage an incident when it occurs, and to do everything we can to spot problems before they pop up. But we cannot do it alone.

Everyone must be appropriately trained to understand ransomware and other cyber threats, and act appropriately. Each employee in the retail organization, from store operations and merchandising to shipping and receiving, must understand that they play a key role in promoting cybersecurity best practices and stopping ransomware from getting inside the walls. This kind of training should be delivered in small snippets and nuggets, short videos and email so you don’t lose the audience. And repetition is key. Everyone needs to know what happens when they take a risky action like clicking on a spam email link, and how to report it when they discover a risk. In the event of a ransomware attack, there are critical decisions to be made, and one of our key jobs as security leaders is to ensure that the C-suite and the board are ready to act.

5 Considerations for Ransomware Defense Strategies

There are five key elements to understanding the impact of a ransomware breach on a retail organization.

1. What is the downtime that is going to occur throughout the organization at headquarters, in the stores and in the supply chain? If your point-of-sale system is down and you have hundreds or thousands of stores, there’s no way you can go to manual processing. Customers are going to leave the stores, and they may not come back for a long time. When everything takes place on a digital platform, the operational impact of downtime must be calculated before a breach even happens.
2. How long can we withstand the impact of downtime? Revenue will be lost, reputation will be damaged. Also, an attack is going to impact associates’ productivity, but we still have to pay these associates.
3. Lost opportunities with our customers. If you can’t service a customer, they’re going to your competitor. If they get great service there—and when your competitor discovers why the customer has left your store and gone to theirs, they will get great service—you’re going to lose that customer for a long time.
4. What are the bad actors asking for? Is it a nuisance attempt, maybe a small amount (initially)? Or are they asking for a million dollars?  You’ll need to determine what will cost you more in the long run: paying the ransom now, or not paying the ransom?
5. Customer confidence is the key. Simply put, customers who are not confident that you will treat their personal information safely and securely will likely walk away. If you lose a customer’s confidence, you’ve lost the customer.

Retailers should acknowledge and accept that their organizations are highly likely to be confronted with a ransomware attack at some point in the near future. While that doesn’t mean the attack will be successful, it means you have to operate with an understanding that you need to have a plan, you need to practice that plan, you need to train your employees and you have to give your C-suite board all the information they need to make the right decision for the organization.

Read more on ransomware trends in this Unit 42 report.

About Ashok Rutthan:

SRT guest author, Ashok Rutthan, is chief information security officer at Massmart, a major retailer and wholesaler based in South Africa.