Retail Boardroom Breach-Preparedness: Proactive Strategies for Handling the Inevitable Cyberattack
Written by Chris Wood, CyberQ Group and Dave McGrail, Head of Business Consulting, Xalient
Retailers have been hit by a wave of cyberattacks in recent months, with hacker groups targeting major household brands. These attacks have resulted in severe consequences, including payment system failures, website outages, and customer data breaches, with some retailers losing millions in revenues.
This has made retail boardrooms incredibly nervous and acutely aware that, where attacks are concerned, it is not a question of if, but when, their organisation will be breached. Many are adopting best practices like Zero Trust frameworks and security models which assume no entity, whether inside or outside an organisation, is inherently trustworthy, working on the assumption that the organisation has already been breached and should act accordingly.
To this point, at the recent Cyber UK Conference held in Manchester in May, the Cabinet Office Minister responsible for National Security, Pat McFadden, said: “These attacks need to be a wake-up call for every business in the UK.”
Subscribe to TRB“In a world where the cyber criminals targeting us are relentless in their pursuit of profit, with attempts being made every hour of every day, companies must treat cyber security as an absolute priority.”
Understanding your recovery strategy
Cybersecurity is more than just detecting and stopping the progress of the initial attack. It is also how quickly the organisation recovers and what recovery strategies it has in place. It’s also about how these strategies are communicated with all the parties and stakeholders that might be affected. Likewise, this is no longer just a problem for the IT department, but it is a business-wide problem, extending from HR to corporate communications, to legal to customer communications. The scope also encompasses external supplier ecosystems and regulatory bodies like the ICO.
When the buck stops, it is a boardroom issue. Growing regulation and legislation means cybersecurity leaders and boards are becoming more aware and concerned about personal liability, particularly since the criminal case against Uber Technologies’ former security chief. Uber Technologies was involved in several criminal cases, including a data breach, and a former Chief Security Officer was convicted of obstructing a Federal Trade Commission (FTC) investigation.
It is equally important to see any attack as a learning opportunity. It is a stressful situation, but one that any of us could find ourselves in. Therefore, it is incredibly important not to unduly apportion blame. The mental health implications for the CEO, the CISO, and others involved will ripple throughout the organisation and can be very damaging.
Strengthening cybersecurity oversight
So how should boards better prepare for a cyber breach and ensure the organisation can respond effectively to cyber threats? The starting point is establishing clear cybersecurity oversight. This is essential for protecting sensitive data and ensuring compliance with industry regulations. There are several steps that boards should take to fortify cybersecurity oversight such as:
- Define your governance framework and set up policies, roles, and responsibilities to guide cybersecurity efforts.
- Implement zero-trust principles and ensure strict access controls, verifying identities before granting least-privileged permissions.
- Undertake regular risk assessments and continuously evaluate potential threats and security vulnerabilities.
- Invest in AI-powered monitoring, using AI-driven analytics to detect anomalies and predict cyber risks.
- Educate staff on cybersecurity best practices to prevent breaches, ensuring staff are aware of company cybersecurity protocols.
- Ensure compliance and regulatory alignment adhering to frameworks like GDPR, ISO 27001, or NIST guidelines.
Making sure that individual members of the board understand their responsibility in the case of a breach is also crucial. Additionally, boards should ensure their organisation has a regularly tested cyber incident response plan allowing for swift action when a breach occurs.
We can’t understate how vital communication is during an incident. Boards must oversee both internal and external communication, ensuring transparency with employees, customers, regulators, and investors. Despite these expectations, some boards may still lack a deep understanding of cybersecurity risks, which can lead to inadequate responses when breaches occur.
Tracking key cybersecurity metrics
Keeping track of key cybersecurity metrics to assess the organisation’s resilience is another important activity. Critical cybersecurity metrics include measurements such as Incident Response Time (IRT), measuring how quickly security teams detect and respond to threats. Likewise having Recovery Time Objectives (RTO) in place enables the security team to track how long it takes to restore operations after an attack. Furthermore, tracking success rates of recovery tests enables the organisation to evaluate the effectiveness of disaster recovery plans.
This is by no means an exhaustive list, but these types of metrics provide valuable insights into an organisation’s ability to withstand and recover from cyber incidents.
Boards must stay updated on regulatory requirements and shareholder expectations regarding cybersecurity. Ensuring compliance with cyber governance codes and industry standards such as ISO 27001, NIST, and GDPR to mitigate legal and financial risks. Additionally, the Cyber Governance Code of Practice outlines key governance actions that directors should take to manage cyber risks.
Finally, the importance of working with cybersecurity experts and trusted advisors like Xalient and CyberQ will help to shore up defences, enabling retailers to detect and mitigate cyber risks before they escalate, and strengthening their defences against evolving threats.
Cybersecurity is no longer JUST a technical challenge
In an era where cyber threats are inevitable rather than hypothetical, retailers must shift their focus from prevention to preparedness and resilience. Cybersecurity is no longer just a technical challenge, it is a fundamental business issue that demands leadership, strategic oversight, and company-wide collaboration.
Boards must take an active role in cybersecurity governance, ensuring their organisation has the right frameworks, policies, and response strategies in place. The ability to swiftly recover from an attack and communicate effectively during a crisis is just as crucial as preventing one.
Ultimately, cybersecurity is about more than protecting data, it is about safeguarding trust, reputation, and the financial health of a business. By fostering a culture of vigilance, continuous learning, and proactive investment in security, retailers can navigate the evolving cyber landscape with confidence and resilience, rather than worrying about being the next headline news story.
