The British Retail Consortium (BRC) has carried out its first survey into the toll that e-crime is taking on the British retail industry. The usual suspects were the most prevalent in the research as expected – identity fraud lost online retailers upwards of £20m in the 2011-2012 period, representing a significant percentage of the total cost of fraud to the industry of around £77.3m.
The most common form of fraud experience by UK online retailers during this period was ‘card not present’ fraud – with almost 80% of respondents stating that this is now common, if not very common.
Surprisingly, however, was the news of the ever-growing, more complex threats. Although there were no specific figures for spear-phishing, phishing, hacks and DDoS attacks, the report did reveal the high cost of their consequences. On average, repairing and restoring systems after a DDoS attack alone costs up to £100,000, with 20% of respondents reporting that DDoS attacks had caused serious or very serious damage to their systems.
Phishing appears to be a particularly expensive problem for UK retailers, who indicated that a single phishing attack could cost up to £2m.
As the UK is the world-leader in online sales – the UK makes up around 11% of global internet sales – British companies are prime targets for cybercrims, so why are we not protecting ourselves more?
The report explains that around £16.5m is spent by British firms providing better cyber security each year, but some of this is misdirected and caused £111.6m of lost business through legitimate trade being rejected by the security measures that they have in place.
It’s clear that there is still some way to go to protect UK businesses in the right way. Recommendations within the report highlight the demand for a more effective way of sharing e-crime knowledge about threats and defending against them and encourage the free sharing of this knowledge between businesses.
Through our client base, experience with cyber threats and knowledge-gathering events like roundtables, we have seen time and again that, even with investment in securing the business, companies are still not covering the basics.
Password security, cyber-guidelines and access-control are the simplest security measures that many businesses are failing to grasp. How can you secure your online presence if you are not covering the basics?
Here are our top tips for cyber-safety:
- Constantly test your infrastructure, fix any vulnerabilities and then retest
- Keep your security tests documentation up to date and in an accessible place
- Act sensibly on social networks – don’t incite retaliation