The Challenges of Retail Cybercrime: Government-industry collaboration is key
The onset of cybercrime is now widely recognised as a major threat to both the economy and national security.
Whilst the National Crime Agency (NCA) has previously acknowledged that ‘the true scale and cost of cybercrime in the UK is unclear at present’, the Office for National Statistics recently estimated that 5.8 million incidents of fraud and computer misuse were experienced by adults in England and Wales in 2015/2016.
It is a serious issue for the UK retail industry, with 94% of those responding to the latest BRC annual crime survey stating that the overall number of cyber breaches is either increasing or remaining the same. Types of online fraud and cybercrime are extremely varied and include ‘phishing’ and Distributed Denial of Service (DDOS) attacks.
Impact on retailers
The challenge that retailers face is not limited to financial harm. High profile data breaches, such as those experienced by the major U.S. retailers Target and Home Depot, have shown the reputational damage that can be caused when cyber criminals are successful. Indeed, certain retail industry characteristics may mean that the industry is particularly attractive to hackers and cyber criminals: the increasing volume of personal data that consumers appear willing to share with retailers (and vice versa) is one notable dynamic. The security challenges that arise from the industry’s highly diverse, transnational supply chain, and from an industry characterised by such a large number of employees, are also increasingly well understood.
Retailers also need to adopt ever more sophisticated technological solutions to remain competitive, with innovation introduced at such a speed that it presents challenges for those responsible for ‘designing in’ security measures. The potential implications for security of the dawn of the internet of things, for example, have arguably only just begun to be considered. The promised longer-term benefits that autonomy might bring to an improved customer experience similarly have the potential to challenge retail security practitioners in completely new ways.
Cyber attacks on the retail industry are doubly damaging in that there are two sets of victims in crimes of this nature – both the customers (whose data is hacked) and the retailers themselves. The frequent calls that companies ‘must do more’ to protect their customers, whilst well-intentioned, often fail to recognise that retailers are themselves the victims of what the Director of GCHQ has referred to as ‘industrial scale’ criminality.
It is evident that any effective strategy to tackle cybercrime must be nimble and also involve strong cooperation between industry and the authorities – as ministerial speeches repeatedly insist, neither government nor industry can achieve this on their own.
In short, cooperation between the public authorities and the retail industry is an absolutely core component of UK cyber security.
It is against this backdrop that the creation of the UK’s new National Cyber Security Centre (NCSC), planned for launch in October 2016 and intended as a comprehensive source for industry of advice and managing cyber incidents, should be warmly welcomed. For many years, sectors including the retail industry have actively encouraged the Government to simplify the UK’s cyber security structures, especially those intended for public-private cooperation. Whilst ambitious, the stated aim of the NCSC to become ‘a single point of contact for the private and public sectors alike’ is a promising development.
If the NCSC and other organisations have much to do to strengthen public-private cyber security cooperation in the UK, what should the immediate priorities be? Firstly, all concerned parties should revisit the basis of their partnership arrangements, and seek to develop a strong, mutual understanding of the challenges faced by both the public and private sectors in delivering cyber security today. All too often, not least as a result of their respective resourcing constraints in the present economic climate, industry and the law enforcement community can ‘talk past each other’ in their understandings of what ‘partnership’ means. For the police, there appears to be a focus on encouraging industry do more to protect itself. For many retailers, there is confusion around why it is that so many of the crimes reported seem to attract so little follow-up attention.
Developing a more honest understanding of the respective capabilities and priorities of both the state and the retail industry in this space will be essential to ensuring that any deficiencies in current engagement can be overcome. In the absence of such a renewed effort, it is unlikely that a realistic, more pragmatic type of cooperation will be able to ensue.
Secondly, there should be a major strengthening of the national framework under development for the reporting of, response to, and recovery from cyber security incidents in the UK. In the view of the retail industry, the new NCSC offers a major opportunity to begin to plot out an improved way of handling major cyber incidents affecting the industry. Aware that the proposed NCSC and the law enforcement community possess different powers, the retail industry would welcome clarity, as an urgent priority, on the interrelationship between the NCSC and the UK policing sector, and how it can work with them. Keen to bring its own resources to bear on the partnership elements of this challenge, it wishes to actively engage the work of the new centre, which clearly presents a unique opportunity to begin to develop a more coordinated approach to public-private cooperation for UK cyber security.
Hugo Rosemont, Crime and Security Policy Adviser, British Retail Consortium (at time of writing)