Cyber security threats to the retail sector


Playback of this video is blocked because of your cookie preferences.

You can change your settings on the Cookies information page: you need to accept Advertising cookies to see this YouTube video.


Our retail clients face significant challenges in relation to cyber security. Based on our recent research we found that attacks are up by over 30% so this challenge is not going away. The main challenge they face is from a crime perspective, so be this malicious insiders, organised crime groups or other parties looking to make money from the organisation. Now the main threat is around the theft of data, and that’s customer data, and obviously retailers hold significant volumes of this. The other thing that retailers need to think about is remaining competitive, so they obviously have to invest in digital channels, apps and other payment technologies, and obviously investing in these kind of technologies increases the risk that they face from a cyber security perspective.

So in 2018 the Global Data Protection Regulation rules come into place and this has significant implications for retailers. Firstly it means that the impact is going up, so this is up to 4% of global annual revenue or €20 million, so significant numbers. Secondly, you have to notify the regulator quickly if you’ve been breached, and thirdly, you have to be able to delete customer data from all of your systems if they request it, and this is obviously challenging given the fact that data is scattered across retail organisations, planning for GDPR needs to start now.

Distributor denial of service tax or DDoS attacks are a real challenge for retailers, particularly during peak season, and the challenges are that the websites of an organisation might be taken down, or there is also physical disruption, for example shopping centres, lift systems may be disrupted impacting retailers and consumers.
In terms of what organisations can do about it, the first one is a technology point which is that, just make sure you have the right processes and technology in place to mitigate the attack itself. You can also conduct effective threat intelligence to anticipate when an attack is likely to happen, and lastly the business have a role to play. Make sure that the business are ready to respond and know what their role is in responding to a DDoS attack.

We are seeing a number of retail organisations effectively managing a cyber security risk and there are some very common themes amongst them. The first one is the board, the board are playing an active role in minimising the cyber security risk. Secondly culture, people are key in minimising the risk and organisations are investing in effective training and awareness programs, and lastly detection response, organisations are investing in detecting a breach and critically responding to it, and practicing how they would respond to the breach.

We can help retail organisations both understand the cyber security risk they face and define their security strategy. We are also helping organisations respond to a breach when that happens. We would urge organisations to get in touch if they would like to discuss their cyber security any further.


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Zubin Randeria

Zubin Randeria

Lead Cyber Security Partner, PwC United Kingdom

Tel: +44 (0) 207 212 4928

Follow us