How can you protect yourself from a cyber-attack? Think like a criminal.

We tricked our way into the head office of a high street retailer.

Tailgating workers through two security doors, the team set up to work on vacant desks, as if they were employees, and spent the day collecting computer passwords and intellectual property, including materials relating to new services and products.

Later in the day, on an unchallenged tour of the building, our team walked into the HR director’s office (the door had been propped open) to find an open laptop. They took photographs of documents open on the screen and placed malware on the device that gave them remote access to the machine and the company’s corporate network for the next month.

Files relating to employees, their contracts, ongoing disciplinary actions and other sensitive company material, were also recovered.

Later, a third colleague tricked their way into one of the retailer’s stores telling staff he was there to service a POS (point of sale, or till). Malware was placed on the machine allowing further remote access, this time to customer credit card details.

Fortunately for the retailer, we were cyber security experts engaged in a “red team” commission to see if they could hack into a client’s systems. The commission was designed to see if they could obtain intellectual property, customer details and credit card information without detection. They achieved all their objectives, revealing evident weaknesses in the retailer’s security measures.

Along with regular news headlines, the exercise demonstrates how cyber security remains an ever present concern for UK companies. Statistics gathered for the Department of Culture Media and Sport [1] reveal around 39% of UK businesses say they had been the target of a cyber security attacks in the previous 12 months. Of those targeted, 31% say they are on the receiving end of assault at least once a week. One in five companies say they have experienced a “negative outcome”, as a result of being attacked.

Some of the largest brands find themselves in the crosshairs of cyber criminals. Just last month the New York Times revealed the systems of Uber, the international taxi hailing service, had been breached by tricking an employee to give up passwords.

The success of the our red team in breaching the retailer’s systems may seem shocking, but “ethical hackers”—those employed to test computer networks—succeed in breaching security more often than business leaders might expect.

Indeed, we have undertaken many engagements, across a multitude of sectors, and have never failed to breach systems security. The key message is that it doesn’t matter how big or small a retailer may be, the risk of a cyber security breach is ever present.

And that is partly because security lapses come in many forms. The two breaches detailed above seem alarming but the company also suffered a third which involved circumventing “multi-factor” authentication. Using techniques remarkably similar to events at Uber, an under-pressure employee was persuaded on a phone call to recite a security code he had just been emailed. The call was made by a red team member posing as an IT staffer. Once armed with the code, the company’s networks were easily accessed.

It’s worth bearing in mind that these breaches did not involve remote whizz-kid style computer hacking but what is known as “social engineering” — persuading employees to ignore established processes or simply give up security information.

Social engineering tends to exploit individuals under stress or the perception of authority. The person we targeted - in a so called “vishing attack” - was a single father rushing to do the school run. Other attackers fake being trusted senior staff or, indeed, trick managers into ordering lower-level employees to do things they may not otherwise do during normal processes, such as making a payment.

Retailers may be more exposed than companies in other sectors because they have more points of vulnerability. Indeed, they suffer from what experts call a wide “attack surface”. Offices, stores and websites all represent opportunities to criminals.

Technology is important but it’s just one component. A business is also people and processes. Red teaming tests whether all three can be compromised in a cyber-attack. And as we prove, they can more often than not.

But the red team exercise, along with many others, offers a set of important insights for retail companies. As implied, cyber security places a premium on processes that have integrity, even those applying to guests in offices and stores. ISO 27001, the recognised standard for information security, makes explicit mention of “visitor management”.

Retailers therefore need specific processes addressing the way sensitive information is protected, including controls on how people visit their stores, and the way websites are secured.

Retailers must ask themselves: are information security controls reviewed and updated regularly and are they adequately tested?

Company culture is also a key component of security and must support workforce discipline around the use of processes. That is not always easy. UK corporate culture tends to place great store in trusting employees and helpfulness at work. But both need to be combined with knowledge of security processes. Many businesses fail to invest in training and, without training, cultural characteristics like “trust” and “helpfulness” can morph into weakness.

Moulding or forming culture means elevating cyber security to the boardroom. It is a mistake to restrict cyber security to IT or technology silos because it is about behaviour and that is formed by corporate culture established from the top. Leaders at the top make the greatest difference.

It is widely accepted that cyber attacks will only increase in number and complexity in the near future. That makes processes, company culture and boardroom leadership on cyber security a priority. Red teaming proves that time and again.

This article was first published in The Retailer, online magazine, by the British Retail Consortium.

Get in touch

Get in touch with our experts for more details

[1] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022

National contacts