The growth of e-commerce intensifies cyber threats: are retailers ready to comply?

The impressive recent growth trajectory we’ve seen in the e-commerce market continues to move to the right. According to Statista, the global e-commerce market is expected to maintain an annual growth rate of 9.49% in the coming years, with 3.6 billion purchases expected to be worth $6.48 trillion by 2029.

Unfortunately, this explosion of online activity comes with several challenges. Indeed, as e-commerce grows, so do the efforts of cyber attackers seeking to take advantage of the growing opportunities.

Retail businesses are particularly vulnerable to such threats, given their extensive customer and transaction data and increasingly digital operations, with several recent incidents highlighting the severity of the threat.

Last year, Ace Hardware suffered a serious cyberattack that compromised 196 company servers and more than 1,000 devices, causing widespread disruption across its 5,600 stores worldwide. The attack not only delayed shipments and deliveries but also hampered the company’s ability to fulfill online orders, significantly affecting its operations.

Then, in late 2023, VF Corporation – the parent company of brands like Timberland, Dickies, The North Face and Vans – also suffered a cyberattack that disrupted its operations and hampered order fulfillment. Here, investigations revealed that the personally identifiable information (PII) of approximately 35 million people was compromised, with the effects of the attack continuing to be felt more than a month later.

Headlines like this highlight the urgent need for retailers to adopt more rigorous security measures to protect themselves and their customers.

Interestingly, a recent survey found that customer demand for robust security and compliance was a significant motivating factor behind increased investment in security measures at retailers, cited by 43%. . However, many companies have struggled to meet the necessary standards despite this.

Critically, the same report indicates that about a third of retailers view compliance with regulations and industry standards as their biggest information security challenge, even though nearly 43% of them have increased their compliance-related investments up to 25%.

The challenge of evolving compliance requirements

This is not a coincidence. As the cyber threats faced by retailers continue to intensify, so do the demands associated with security compliance regulations.

Take the Payment Card Industry Data Security Standard (PCI DSS) as an example. Retailers that accept major credit cards or process electronic payments must adhere to PCI DSS, a set of technical and policy controls designed to protect sensitive cardholder information and transaction data.

In recent times, these compliance requirements have become stricter. Specifically, the standards moved from version 3.2.1 to version 4.0 in March 2022, with full compliance required by March 2025. This update focuses on continued security and improved security. payment validation, with some of the key changes including:

• Increased emphasis on security as an ongoing process.
• Multi-factor authentication and zero trust architecture requirements for service providers.
• Updated software development requirements, including secure coding practices, automated vulnerability scanning, and penetration testing.
• Stricter password management rules, including the use of passphrases and banning certain weak passwords.
• Promoting systematic and effective encryption, including support for quantum-secure cryptography.

Looking at PCI DSS, it’s clear why many retailers view compliance with regulations and industry standards as the biggest information security challenge. Indeed, increasingly stringent controls are putting pressure on businesses, requiring more time and preparation to ensure compliance.

Getting the most out of your investments with ISO 27001

Despite the challenges retailers face, the survey also shows that compliance investments are paying off. Importantly, a third of retailers note that the best information security ROI they have achieved in the past 12 months is from compliance investments.

The need to comply is clear, as is its value. So what concrete steps can retailers take to ensure their compliance investments are effective and not wasted?

Retailers should look to the ISO 27001 framework for guidance on systematically improving their security management practices.

The ISO 27001 standard offers a structured approach to the protection of information assets. By following this path, retailers will be well positioned to more effectively meet customer demands for security and compliance, safeguard their reputation, protect customer data and effectively counter new cyber threats.

Today, this must be a priority. Indeed, cybersecurity is not about cost or technology, but the cornerstone of any successful modern retail strategy.

Retailers must implement robust security controls, adhere to standards such as ISO 27001, and take an integrated approach to compliance. Additionally, cyber resilience must be an ongoing process and not a one-off project. As threats and regulations evolve, defenses must evolve as well.

By prioritizing information security in board discussions and allocating adequate resources, retailers can strengthen security, build trust and mitigate significant financial, reputational and legal risks.

Sat Peters is the cSenior Product Manager at ISMS.online, an auditor-approved compliance platform.