In conjunction with the British Retail Consortium, Aon hosted a webinar on 30 April discussing the importance of cyber business continuity management for the retail industry. Following much-publicised cyber attacks on high-profile UK retailers in recent weeks, this conversation around the key cyber threats to business continuity and the ways in which organisations can achieve cyber resilience has come at a point of particular relevance for retailers.
Cyber Attacks Rated the Top Risk for Retailers
In Aon’s Global Risk Management Survey, “Cyber attacks/data breaches” was rated the top risk facing the retail and consumer goods industry, closely followed by supply chain disruptions. Cyber threats can take many forms, and as the CrowdStrike incident highlighted last year, cannot all be attributed to malicious actors.
For retailers, ransomware attacks typically pose the highest likelihood and greatest potential business interruption loss. This occurs when cyber criminals use malware to encrypt an organisation’s data before demanding a ransom for its release. Phishing and social engineering attacks are another major risk, where attackers use fake emails, phone calls or messages to trick employees into revealing credentials or transferring money. As supply chains have become increasingly digitised, attacks to third-party vendors can spread throughout the network, opening the doors to retailers’ systems.
What are the Key Impacts from a Cyber Event?
Due to the systemic and complex nature of cyber incidents, widespread impacts are likely following an attack. These include, but are not limited to:
Operational Downtime: Cyber incidents can bring operations to a halt, causing significant delays and revenue loss from lost sales and the increased costs from restoring systems.
Supply Chain Disruptions: Compromised activities can affect supply chains, leading to delays in the delivery of essential materials and products which impact overall business continuity.
Reputational Damage: Repeated or high-profile cyber incidents can damage an organisation’s reputation, eroding customer trust and the organisation’s global image.
Regulatory and Legal: Failure to protect systems adequately can result in non-compliance with industry regulations, leading to legal penalties and mandated operational changes.
How can Retailers Prepare for Cyber Risks?
Cyber preparedness can be built through the orchestration of incident response, IT disaster recovery, crisis and claims management, and business continuity programmes. In the days following an attack, incident response will focus on detecting, containing, eradicating and recovering from security threats. Meanwhile, the technical response works to restore IT infrastructure and systems with the aim of ensuring a return to normal system function in the shortest possible time.
Over a longer timeframe, the wider business response takes place through the coordination of efforts to manage insurance claims and crisis scenarios, focusing on public relations, legal issues and reputational risk. Business continuity management is typically responsible for maintaining operations and revenue generating processes while the technical recovery is taking place.
It doesn’t have to be your systems that are affected to cause a disruption
In today’s interconnected digital landscape, the ripple effects of cyber threats can extend far beyond the initial target, causing potential widespread disruption even if your systems remain untouched. It is essential to adopt a holistic approach to cybersecurity, ensuring that not only your systems but also those of your partners and suppliers are robust and resilient against cyber threats. By doing so, you can help mitigate the risk of indirect disruptions and safeguard the continuity of your operations.
Building Resilience Through Cyber Business Continuity Management
A business continuity plan (BCP) is a structured approach to help ensure that a business can continue operating despite disruptions such as cyber attacks, natural disasters and system failures. Effective planning requires collaboration across the business, from operational and technical teams through to C-suite executives. BCPs involve identifying critical processes and risks and managing the business response and recovery, which involves:
- Conducting a business impact analysis and risk assessment
- Developing a recovery plan with clear objectives and timelines
- Ensuring regular testing and reviews to ensure the plan remains fit for purpose
The first step towards a business continuity plan is conducting a business impact analysis (BIA), which is central to an understanding of your organisation’s key operations and dependencies. This begins with identifying the activities that are necessary for business survival, including revenue generating processes and essential services provided to clients and consumers. The BIA will then assess the dependencies that underpin these critical services, including technology, people, suppliers and solutions. With this information, the BIA establishes recovery time objectives (how quickly services need to be restored) and recovery point objectives (the acceptable data loss during the disruption).
Alongside the business impact analysis, a risk assessment will need to evaluate the likelihood and potential damage from threats and vulnerabilities within the organisation. The results from the BIA and risk assessment inform the recovery strategy, outlining the methods to restore operations quickly. Alternative sites, data backups and involvement from third parties can be leveraged within the recovery strategy, which should be tailored to the organisation’s essential services and dependencies.
Following the BIA, risk assessment and recovery strategy, plan development continues to document the specific procedures and responsibilities for recovering from disruptions. The information gathered from these initial stages is used to outline step-by-step instructions for recovery, including communication plans, resource needs and escalation paths. Continuous testing and maintenance is critical to help ensure that the business continuity plan remains fit for purpose, also considering the plan’s maturity and overall business tolerance for events. Regular updates and reviews must take into account both the evolving risks that businesses face and the dependencies that underpin critical business operations.
Conclusion
Recent cyber events have demonstrated why cyber attacks and data breaches remain the reported top risks within the retail and consumer goods industry. Cyber resilience is a greater business priority than ever before, requiring the creation and maintenance of business continuity plans among the other components of response and recovery.
Effective business continuity management is responsible for reducing the impact of operational downtime, supply chain disruptions and revenue loss. While these plans are often viewed as the IT department’s responsibility, ultimately, all plans are delivered by people, and all people within an organisation bear some responsibility; this makes consistent training efforts crucial for effective continuity management, which may take the form of simulations and tabletop exercises.
Speakers
Nathan Hankin, Head of UK Retail Cyber & Tech E&O
Chris Scott, Executive Director, Cyber Solutions, EMEA
Alex Hornsby, Director, Cyber Risk, UK
Milo Judd, Cyber Risk Consultant, UK
Watch the webinar here
For more information contact [email protected]
These are the views of Aon. They do not necessarily reflect the views of BRC.
While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.
link
