A study by Microsoft and Frost & Sullivan
A Frost & Sullivan study commissioned by Microsoft uncovered that three out of five (60%) retail organisations in Asia Pacific are slowing down the progress of digital transformation projects due to the fear of cyberattacks. Cybersecurity concerns among retail organisations are well-established as a cyberattack can cost a large retail organisation an average of USD18.7 million in direct and indirect economic loss. Customer churn is the largest economic consequence of a cyberattack for retail organisations resulting in USD16.9 million of indirect cost. For mid-sized retail organisations, the average economic loss due to a cybersecurity incident was USD47,000 per organisation. The study further revealed that almost three out of four (73%) cybersecurity attacks against retail organisations over the last 12 months have resulted in job losses across different functions.
These findings are part of the “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” study and aims to provide business and IT decision makers in the retail sector with insights on the economic cost of cybersecurity breaches and to help to identify any gaps in their cybersecurity strategies.
The initial study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organisations (250 to 499 employees) to large-sized organisations (>than 500 employees), and 10% of these respondents are from the retail industry.
To calculate the true cost of cyberattacks, Frost & Sullivan created an economic loss model based on insights shared by the survey respondents. This model factors in two kinds of losses which could result from a cybersecurity breach:
- Direct: Financial losses associated with a cybersecurity incident – this includes loss of productivity, fines, remediation cost, etc; and
- Indirect: The opportunity cost to the organisation such as customer churn due to reputational damage.
A breakdown of the average direct and indirect economic cost that a large retail organisation can incur due to a cybersecurity incident
“Trust is especially critical for retail organisations today as brand loyalty continues to erode in the digital era. If retail organisations do not have the reputation of being capable of protecting their customers’ personal information and financial data, consumers will switch to another option in this hyper-competitive landscape,” said Kenny Yeo, Industry Principal, Cyber Security, Frost & Sullivan. “This is why retail organisations have the highest customer churn after a cybersecurity incident, compared to other vertical industries.”
Complex Cybersecurity Environment Impeding Retail Organisations’ Ability to Address Key Cyberthreats
Despite knowing the high economic cost and reputational damage they may incur, retail organisations continue to remain vulnerable. The study revealed that more than half (56%) of the retail organisations in Asia Pacific surveyed have either experienced a security incident (27%) or are not sure if they have had a security incident as they have not checked (29%). For retail organisations that have encountered a security incident, the respondents highlighted that web defacements, data exfiltration and ransomware are their biggest concerns as these threats have the highest impact to the business and they often result in the slowest recovery time:
- Web defacements are a unique threat that retail organisations faced as they increasingly rely on their digital presence to engage customers. Through web defacement, attackers can disrupt this vital customer channel while negatively shaping the consumers’ perception of the brand; and
- Ransomware has the most severe impact on retail organisations as financially – motivated cybercriminals illicitly encrypt files to restrict or stop users from accessing them, forcing organisations to pay a ransom. Retail organisations will not only lose time and resources in dealing with the aftermath of a ransomware attack, but the experience they provide to their customers will also be negatively impacted, resulting in customer churn.
The study also revealed that the complexity of managing a large portfolio of cybersecurity solutions may undermine retail organisations’ ability to protect themselves from these key cyberthreats and recover quickly after a cybersecurity incident:
- The study found that 43% of retail organisations with more than 50 cybersecurity solutions encountered a security incident in the last 12 months, which is almost double of 22% of retail organisations with less than 10 cybersecurity solutions; and
- Contrary to the common notion of more security solutions equals greater efficiency, 41% of retail organisations with fewer than 10 cybersecurity solutions were able to recover from cyber incidents within one hour, compared to only 14% organisations with more than 50 solutions.
Gaps in Retail Organisations’ Attitude and Approaches Towards Cybersecurity
Although digital platforms are now an integral part of many processes within a retail organisation – from customer engagement to tracking transactions to operations – the study uncovered that many retail organisations in Asia Pacific still maintain an archaic approach to cybersecurity:
- Fear of cyberattacks derailing digital transformation progress: More than three out of five (60%) of the business and IT leaders in the retail sector have indicated that cybersecurity concerns have impeded their organisations’ digital transformation plans. This can impact their competitive advantage and miss out on significant opportunities in this region’s growing e-commerce space and digital economy.
As retail organisations continue to digitally transform themselves, a strong security posture can lead to increased consumer trust as well as more customers and transactions. However, the majority of respondents (43%) from the retail industry saw their cybersecurity strategy as merely a means to safeguard their organisations against cyberattacks. Only one out of five (22%) sees cybersecurity as a business advantage and an enabler for digital transformation; and
- Security as an afterthought: If retail organisations do not view cybersecurity as one of the cornerstones of digital transformation, it will undermine their ability to deliver a “secure-by-design” digital project, thereby leading to products and services with security vulnerabilities.
The study revealed that only one out of four (26%) retail organisations that had fallen victim to a cyberattack considered having a cybersecurity strategy before the start of a digital transformation project. The remaining respondents stated that either security was an afterthought, or they did not take cybersecurity into consideration when designing their digital transformation projects.
“Retail organisations are increasingly looking to deliver personal, seamless and differentiated customer experiences by empowering people, enabling digital transformation and capturing data-based insights to drive growth,” said Raj Raguneethan, Asia Lead, Retail and Consumer Industries, Microsoft. “Today cybercrime is a matter of when and not if. While data security and privacy are vital to any business, retail organisations and brands face enormous pressures and challenges with targetted cybercrime, complex supply chains, increasing compliance obligations and constant staff turnover. Given the impact of a cyberattack to the business and its reputation, it is even more critical for retail organisations to prioritize trust, transparency, standards conformance and regulatory compliance as key success factors while formulating their cybersecurity strategy.”
Retail Organisations Using Artifical Intelligence to Bolster Cybersecurity Posture
Artificial Intelligence (AI) is playing a critical role in shaping the future of the retail industry. From delivering a personalized shopping experience to generating actionable insights about the customers, AI will enable retail organisations to respond accurately and efficiently to customers’ expectations.
Today, retail organisations are also turning to AI to safeguard themselves from cyberthreats. The study found that that three out of four (75%) retail organisations have either adopted or are considering an AI-based approach to complement their cybersecurity strategy.
By rapidly analysing vast quantities of data and providing actionable insights for cybersecurity professionals, AI-driven cybersecurity architecture enables organisations to accomplish tasks, such as identifying cyberattacks and removing persistent threats like ransomware, faster than any humans. This makes AI an imperative for retail organisations who are looking to protect their digital platforms and customers from cybercriminals.