It’s time for all retailers to have a cyberattack plan

Ask most furniture folks what keeps them up at night and chances are they will mention things like the challenging retail climate, the rising cost of goods, supply chain issues, finding, hiring and retaining great employees and so on.

Ironically, one item conspicuously absent from the list that should have them worried is the risk of cyberattacks.

And if you are thinking hackers have no interest in launching cyberattacks on our segment, think again. Or better yet, Google cyberattacks and the word furniture, then hit “enter.”

Items like this one from The Record will pop up:

“One of the biggest mattress sellers in the world is dealing with a cyberattack that has forced the company to shut down parts of its IT systems.”

Tempur Sealy is considered the largest bedding provider in the world because of its control of brands like Tempus, Cocoon, Sealy and Stearns & Foster. The company, which reported $1.2 billion in net sales last quarter, announced the acquisition of the United States’ largest mattress specialty retailer, Mattress Firm, in May.

The company’s chief financial officer, Bhaskar Rao, reported to the U.S. Securities and Exchange Commission that Tempur Sealy’s operations had been hindered by a cyberattack which began on July 23.

The company did not respond to requests for comment about whether it is a ransomware attack but noted in its 8-K filing that they were forced to activate incident response and business continuity plans “designed to contain the incident.”

“This included proactively shutting down certain of the company’s IT systems, resulting in the temporary interruption of the company’s operations. Legal counsel, a cybersecurity forensic firm and other incident response professionals have been engaged to advise on the matter,” Rao said.

“The company has also notified law enforcement authorities. As of the date hereof, the company has begun the process to bring certain of its critical IT systems back online and has resumed operations.”

You will also find stories like this one about DSG, a company whose website says it owns and operates over 163 Ashley retail stores, 29 distribution centers and three corporate offices, with over 5,000 team members.

This summer, DSG acknowledged that it unfortunately experienced a cybersecurity incident. In a statement, it said, “Like many companies, we are not immune to the unlawful efforts of third parties to attempt to breach our network,” said Lisa Fanaro, executive vice president of strategy and experience at DSG. “In this regard, we can confirm that DSG experienced a cybersecurity incident in June. Immediately upon discovering the incident, we executed our security protocols to mitigate against these efforts.”

And then there was this recent report for RetailWeek that asserts some 300 independent retailers were struck by a cyberattack at IT supplier Swan Retail, which has affected their ability to trade online and fulfill orders.

The attack took place on Sunday, Aug. 13, and caused “technical difficulties” with some of Swan’s back-office systems.

Those affected by the breach include a range of independent retailers across sectors including fashion, department stores, furniture and homewares, garden centers, pets, outdoors and sports and stadiums, the publication reported.

Last year, Top 100 City Furniture acknowledged that it had a data breach where sensitive consumer data stored on City’s network had been compromised.

As retailers work to address consumer demand for enhanced customer experience they often turn to new technologies. However, those platforms can present challenges ranging from vulnerable internet-connected point-of-sale systems and devices to online ordering, delivery programs, maturing real-time inventory processes, and a rapidly expanding Internet-of-Things landscape.

According to statistics compiled by Zipdo, an operations management tool:

  • Retail is the third most targeted sector by cyberattackers, following only financial institutions and health care.
  • 64% of consumers said they are unlikely to do business again with a company that experienced a breach where financial information was stolen.
  • Breaches cost businesses $2.5 million per incident on average in the retail sector.
  • 98% of applications in the retail industry have security vulnerabilities.
  • 42% of retail organizations indicate that they do not have a CISO or equivalent high-level security leadership position.
  • Retail businesses take 197 days on average to detect a data breach.
  • Nearly 39% of cybersecurity breaches affected retail businesses in 2020.
  • The retail industry reported a 22% increase in data breaches in the first half of 2020.
  • A survey shows that 84% of retail organizations are at risk from cyber threat.
  • Only 30% of retailers report achieving full compliance with the Payment Card Industry Data Security Standard.
  • In 2018, cyberattack-induced downtime cost retailers an average of $1.7 million.
  • According to IBM, the average cost of a data breach to a retail business in 2020 was $3.86 million.
  • A Symantec report indicated that point-of-sale breaches accounted for 17% of all incidents in the retail sector.
  • 16% of all retail companies experienced a data breach resulting in website downtime over the past two years.
  • More than 50% of retail businesses do not have an incident response plan.
  • About 97% of all point-of-sale breaches in 2018 were targeted at small and midsize retailers.
  • It has been estimated that cybercrime can cost retailers up to 12% of their annual revenue.
  • Card-not-present fraud, a common type of cybercrime in retailing, is on the rise, expected to reach $130.6 billion in losses between 2018 and 2023.
  • Approximately 85% of breached data in 2020 came from the retail, accommodation and food services industries.
  • 30% of retail businesses state that maintaining security upgrades is their biggest challenge.

With those statistics in mind, it is not surprising to see why this segment can be easy pickings for cyberattacks, especially since many small and midsize retailers have not made protecting themselves from cyberattacks a priority.

It certainly looks like the time has come for retailers of all size to go on the offensive.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter for breaking news, special features and early access to all the industry stories that matter!

Sponsored By: