This page contains a Flash digital edition of a book.
TECH RISK RADAR


BACK TO CONTENTS W 3


e do 10% of our shopping online – e-retail in the UK is now a £32 billion business1


British Retail Consortium that crime cost retailers £205 million in 2011–12.


So just how seriously are retail fi rms taking cyber security?


When the government surveyed2 the FTSE


350 chairmen last year, they found that 64% in the retail sector rated their company as responding to cyber threats ‘quite well’ or to an ‘excellent’ standard. While simultaneously 59% of respondents were ‘anxious’ or ‘very anxious’ about their company’s approach to cyber risk – a mixed message.


Perhaps this refl ects the relative maturity of cyber security within the retail sector. In 2012 the retail sector spent a scant 3.8%3


of its IT


budget on security, and while last year this rose to 6%, retail still spends less than any sector in the UK economy.


1 http://www.brc.org.uk/brc_stats_and_facts.asp 2


FTSE 350 Cyber Governance Health Check Tracker Report, November 2013


Department for Business Innovation & Skills 2014 information security breach survey


FOCUS 19 , a


lucrative target for organised crime. According to the


CRIMINALS ARE DEMONSTRATING GROWING SOPHISTICATION MOVING FROM SIMPLY SCRAPING PAYMENT CARD DETAILS FROM THE MEMORY OF AN EPOS TERMINAL TO A WIDER RANGE OF INFORMATION COLLECTION INCLUDING KEYSTROKE LOGGING.


The retail threat landscape consists of a growing range of denial of service attacks aimed at online retailing web sites; sophisticated attacks on electronic point-of-sale (EPOS) terminals, and a smaller number of attacks aimed at e-retail web sites.


The Target breach has raised the profi le of EPOS malware. Malware such as Dexter and Black POS is now widely available and criminals are demonstrating growing sophistication moving from simply scraping payment card details from the memory of an EPOS terminal to a wider range of information collection including keystroke logging.


Securing e-retail web sites is challenging. Major breaches have disclosed millions of customer login and password records. People tend to reuse passwords, and many UK e-retail sites remain lax in accepting simple passwords or fail to lock accounts despite multiple failed login attempts. Fake websites masquerading as legitimate retailers are commonplace, and criminals are increasingly adept at promoting these fake web sites in search engine results.


Last of all, retailers are collecting increasingly large volumes of customer data as they look to exploit value through analysis of shopping patterns, loyalty card use or web site interactions. There are risks in doing so, not just of compromise by a hacker or criminal group, but also accidental data loss. Privacy concerns are growing post Snowden, and we can expect the penalties for data disclosures to increase, as well as legal requirements for notifi cation of affected customers.


© 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member fi rm of the KPMG network of independent member fi rms affi liated with KPMG International Cooperative, a Swiss entity. All rights reserved.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66