Retailers Beware. ‘Tis the Season for Cyberattacks.

Retailers aren’t the only ones looking to profit off the holidays. The end-of-year shopping rush is prime time for cyber attackers targeting shoppers and businesses, too.

The flood of marketing messages landing in busy and distracted shoppers’ inboxes is the perfect cover to try and get someone to click the wrong link or send over their information, as are the customer inquiries and complaints that inundate businesses.

“It does make the conditions right for greater levels of cybersecurity attacks, [from] the most complex ones all the way down to the most bare-bones types of attacks,” said Paul Caron, head of cybersecurity for the Americas at S-RM, an intelligence and cyber-security consultancy.

Those attacks are getting more expensive. In a new report that surveyed 600 C-suite and IT budget holders from large organisations in the US and UK, S-RM found the average cost of an incident grew 11 percent in 2023 compared to last year, reaching $1.7 million. Among the respondents, 63 percent said they’d experienced a serious incident in the past three years.

The worst cases can have gigantic costs. Hanesbrands was the victim of a ransomware attack in May 2022 that disrupted its global supply chain and left it unable to fulfil customer orders for three weeks. The hit to its net sales was approximately $100 million, it later revealed. The company recouped a small portion of the loss through insurance — about $20.6 million so far this year.

And the attacks aren’t only becoming more costly. As more shopping happens online and retailers collect more data, they’re increasing.

Retailers are generally dealing with large numbers of individual customers while holding onto sensitive information, such as credit card data. The scenario makes them attractive targets and creates numerous opportunities for criminals to try to trick someone into a misstep.

When an attacker is successful, the disruptions to employees can extend far beyond the IT department. In July, Estée Lauder confirmed that a hacker had breached its system and appeared to have stolen data, though it provided little detail on what data. The company said it took down some of its systems in response and began an investigation. Employees at Estée Lauder offices around the world said they were locked out of email and other key functions.

Retailers are taking steps to mitigate the problems. Of the industries S-RM surveyed, retail actually allocated the highest share of IT budgets to cybersecurity, though Caron pointed out the figure can be slightly deceiving.

“What we see unfortunately is that there’s an aggregate lower total investment made within that sector,” he said. “When you look at other sectors that are a little bit more regulated, the cybersecurity budget as part of the IT [budget] might be thinner, but the net pot of available resources is a lot higher.”

The amounts retailers devote to cybersecurity can vary greatly depending on their size. It might range from hundreds of thousands of dollars to tens of millions, Caron said. The costs include everything from security training for staff to technology like multi-factor authentication, firewalls, response solutions and more.

Part of the reason the problem continues growing is that cyber crime is getting more profitable, one expert previously told McKinsey and BoF. Criminals are becoming more sophisticated and will even specialise in different fields.

The advent of generative artificial intelligence is adding a new wrinkle, though it’s not always for the worse. While experts say it makes it easier for criminals to launch phishing scams that aim to get victims to share information or ransomware attacks that lock a company out of its systems until it pays up, it also offers a means of fortifying defences. IBM has noted the technology can speed up security processes and quickly spot threats by recognising patterns in large amounts of data.

S-RM holds a similar perspective. In its cyber security report, it predicted a surge of AI-enabled attacks but said the technology also gives security teams the ability to simplify previously complex tasks, allowing for capabilities like automating creation of scripts to analyse data.

Caron said there are some steps retailers should consider to bolster their overall cybersecurity. First, companies should be sharing information. If one retailer is seeing an uptick in attacks, there’s a strong likelihood its peers are as well, and they may be coming from the same attacker. By communicating with each other, companies stand to gain valuable intelligence at no cost.

Second is to have an instant response plan ready. Businesses need to decide beforehand who will be in charge of key activities like restoring backups and recovering data. They need to understand where their critical data resides and which systems and applications are affected. Working out these details after an attack has occurred can mean delays in getting the business back up and running, which may translate to millions of dollars in costs.

It’s better to be prepared, Caron said, noting the increasing frequency of cyber threats means “it’s not ‘if,’ it’s when it’s going to happen.”