Can your customer strategy stand up to cyberattack?

Recent cyberattacks on Marks and Spencer, Co-op, Harrods, adidas and – this week – Cartier and The North Face, have brought the issue of cybersecurity planning into sharp focus. While the threat of cyberattacks is nothing new, the scale of impact on household retailers has sent shock waves across the industry. If their defences aren’t up to the job and customer relationships affected, then what hope is there for retailers with less resources and smaller budgets?

With the confirmed cause and longevity of disruption still largely unknown, there is much the industry can learn and put in place to minimise the consequences of such attacks. While prevention is always the ultimate goal, retailers must focus on how to manage and maintain customer relationships and reputations should the worst happen.

Keep customers on your side

Retailers can learn from previous crises – contaminated food providing a good playbook. Research evidence suggests that a crisis can help as well as undermine a company's reputation depending upon how it is handled. Being transparent from a very early stage gives a company greater opportunity to set the narrative, rather than having to later admit – often following media pressure – that the problem is actually worse than previously disclosed. In the current wave of cyberattacks, customer comments indicate loyalty and sympathy to Marks and Spencer, regarding it as a victim rather than a villain. Comments about Co-op are more ambiguous, with a suggestion that it has not been upfront about disclosing the extent of personal data loss.

Build resilience into operations

Retailers currently under attack have struggled through, but the interconnectedness of their IT systems can result in disproportionate problems arising from small details. For example, it is reported that Marks and Spencer was unable to locally print labels for food which could have overcome some supply chain problems. Also, in the wake of the Covid pandemic, many retailers decided to no longer accept cash, but retaining a cash handling ability can provide more resilience when systems experience downtime.

Practice a ‘safe mode’ of operating

IT applications often incorporate a ‘safe mode’ which provides limited functionality with minimised risks. Resilient companies should commit training time to operating sub-components of their systems in a more basic safe mode so they can be brought into use very quickly if needed. An analogy is having a backup electricity generator which is regularly tested to ensure that it is still fit for use in emergencies.

Don't request unnecessary personal data

There is emerging evidence that some groups of consumers – especially older ones – are becoming more reluctant to share personal data online. Reports of hacking will not alleviate these fears, even for trusted brands. Although cases of attackers getting into customers’ accounts to take control are very rare, disclosure of personal details could provide sufficient profile information about a customer to allow false accounts to be set up in their name. Companies rely on personal data to give them a competitive advantage, but they should not ask for unnecessary details. The Co-op, for example, uses members date of birth details as a sign-in method, however such basic information may be useful if sold on to help create a false profile or identity.

Balance ease of access with security

An IT manager would typically prefer an IT system which is so secure that only a small number of people have access to it, and performs limited and straightforward functional tasks. A customer manager would typically like a system which is easy to access and provides complex linkages between different systems to allow generation of customer insights, and to extend customers’ relationships with the business. Thankfully, the days of sales and IT working in two completely separate domains are retreating, with better discussion of trade-offs within integrated and embedded teams.

Assess cost-effectiveness of IT security measures

It is easy to suggest that more should be spent on IT security, and there are many professional consultancies who are eager to sell such systems to companies. But the benefits of increased cyber-security must be balanced against its costs – both the direct costs of the processes themselves, and indirect costs of making goods and services less accessible. For decades, a mantra of retailing has been to reduce the barriers to purchase, so additional barriers may come at a cost of lost sales. Also, retailers have typically been driven by a growth mindset, and their share price has reflected sales success. The sharp fall in Marks and Spencer’s share price following its cyberattack is a reminder that resilience is also factored into share values.

Is an occasional cyberattack a price worth paying?

Complete security is a rare state, and retailers necessarily take managed risks, for example with issues of fire, health and theft. A trade-off must be made to balance the costs and benefits of increased cybersecurity. For example, online retailers may opt to reduce the incidence of two factor authentication with credit card companies for regular customers. This will improve customer experience by reducing one barrier to purchase, but increases the risk of fraud. In a competitive market, ease of use may be an advantage. Even a full closedown of IT systems may be worth accepting if the chances of it happening are very low and the costs of mitigation are high. A problem is that it can be difficult to predict future frequency and severity of cyberattacks.

No one is immune

Media headlines tend to highlight big companies that have been targeted, especially when the consequences are widespread and in public view. But we shouldn't forget that much smaller businesses can suffer attacks too, and for a poorly funded business which has put the majority of its sales into just one platform, the consequences can be proportionately more devastating than for a multinational company. Resilience needs to be built into planning for businesses of all sizes and sectors.