Skip to content Skip to footer

Loading Results

Retail Outlook 2021: Cyber Security

How consumer-facing businesses can build better resilience, manage evolving risks and improve agility

COVID-19 has forced customer-facing businesses to rapidly embrace new digital ways of working and channels to market. Many have benefited from this forced experimentation and are now looking to make them a permanent part of their strategy. But with those changes come new digital challenges and risks, which require a new approach to cyber security.

What have we learned in 2020? 

1. Unexpected change will come

Last year showed us that change might happen at various speeds, but it can’t be stopped. COVID-19 forced rapid, permanent changes to the way we live, work and interact, and it also showed the importance of being open-minded and agile.

Almost overnight, we saw non-essential retailers close and sales move predominantly online, factories move to skeleton staff, and back-office functions move to remote working. This then flipped again once lockdown restrictions were lifted. It was paramount for consumer-facing businesses to secure their digital estates, particularly as the way they used them had been changed, and we saw many rapidly improve cyber security to reduce their risk of attack.

Integrating agility and flexibility around cyber security has become - and will remain - important for consumer-facing businesses this year. Cyber security strategy must become a business priority in 2021.

2. Digital channels becoming the primary route to market 

As lockdowns and tier restrictions closed non-essential physical stores, people moved online to meet their shopping needs, with click and collect and direct-to-customer becoming saviours for many businesses. In the run-up to Christmas, for example, 70% of shoppers bought online - significantly higher than the 55% in 2019 and 53% in 2018. Pureplay businesses saw huge growth while those with less sophisticated - or nonexistent - online presence struggled.

Changes in consumer behaviour bring new cyber threats, and a need to think differently about security. Our recent research shows that the shift to greater digitalisation has had a knock-on effect on cyber security strategy. Nearly all respondents (96%) have shifted their cyber security strategy due to COVID-19, with 50% of UK organisations agreeing that cyber security will now be baked into every business decision.

3. Evolving threats

Cyber threats have become increasingly sophisticated as opportunities become more readily available and financially viable. It’s no longer just rudimentary phishing scams that businesses need to be aware of. 

Theft of customer data has long been a significant concern for consumer businesses, but the pandemic also brought a need to pivot to online or invest in digital channels, apps and other technologies to remain competitive. And that change has meant the risk they face from a cyber security perspective has increased further.

With human-operated ransomware attacks now one of the top priority cyber threats facing organisations, consumer-facing businesses must know how to defend against these new types of risk.

Actions to take in 2021

Make agility essential

With such an unpredictable pace of change, organisations need to be agile around any cyber security strategy. For example, do they need to think about what security looks like in-store for sales assistants, or remote working for customer service reps, or security for manufacturing plants? 

Much of that responsibility may rest with the Chief Information Security Officer (CISO). They need to lead a transformative cyber security strategy and cross-functional teams to create agile, forward-thinking security operations that support an organisation's strategic transformation goals. Responsibility should, however, not rest solely with the CISO. With the rise of threats such as ransomware that can impact business' ability to continue operating, this needs to be treated as a key business risk with board-level ownership.

This will enable the organisation to build a resilient, agile defence, leveraging data-driven defence and detection services that use machine learning and automation to deliver enhanced protection and visibility into potential attacks.

Understand evolving risks

No organisation can be totally protected from cyber attacks. It's therefore vital for consumer businesses to improve their understanding of the threat landscape, so they can build effective cyber security alongside a robust incident response plan.

And it’s not just about understanding threats and risks, but also about making sure that the CISO communicates risks in a way that the C-suite can understand it. For example, how does wanting to sell more online increase threats around customer data? Does working with new ecommerce partners bring in third-party risks? What challenges might new in-store tech bring? As previously mentioned, this is a responsibility that should not be the CISO’s alone. Another key business risk, this must be owned at board level. 

It’s increasingly important to know where these risks fall and who might be responsible for managing or mitigating them. For instance, can they be managed by the security team, another part of the business, or is there a reliance on a third party?

Use cyber security to improve experience

Cyber security needs to start being seen as a value-add, rather than a restriction. Good customer security is no longer just a cost, it’s an opportunity to both improve customer experience and help businesses understand their customers better.

While setting up in an organisationally secure way is primarily intended to protect the business from attack, it also helps increase the trust of customers and improve reputation through good security and experience. This organised data can then help businesses better understand customers, improve experience and enhance how they manage supply chains - e.g. stock levels needed, back-office improvements or logistics.

Be proactive in your defence

Consumer businesses must become more proactive in defending against cyber attacks, gathering intelligence on threats or potential threats, and evaluating risk based on their ‘risk profile’.

Importantly, they need to be aware of how their risk profile evolves - bigger store portfolios, more tech-based solutions and a greater move to online offerings will all affect security needs. It is critical to align cyber risk to any business strategy, and the CISO must be able to communicate with the c-suite and ensure they make the right cyber security investments.

Take consumer goods companies as an example. Proactivity might mean securing operations technology. However, this can be difficult with old or out of date technology and large estates. It might be necessary to prioritise what is secured or changed, fixing the economically or operationally riskiest areas first, before looking to support the whole of the operations estate.

Contact us

James Rashleigh

James Rashleigh

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0)7808 028337

Laura Duncan

Laura Duncan

Cyber Security Director, PwC United Kingdom

Tel: +44 (0)7803 455572

Follow us