Risk Management in the Retail Industry

Written by

Cyber risk management for the retail industry increases in complexity on an almost daily basis. Using Software-as-a-Service (SaaS) tools eases business operations by streamlining payment processing and inventory management. However, since automated tools connect to the internet, they add new risks that retailers need to mitigate.

Managing Risks in the Retail Industry

What is digital transformation?

Digital transformation is the use of new technologies to ease business operations. In retail, these technologies often involve cloud migration which incorporates Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) vendors.

For example, restaurants now use applications on mobile devices to record customer orders. Then, those applications connect with the restaurant’s inventory application to streamline the manual activities that lower profitability either through human error or time spent.

Despite these operational and financial benefits, the applications increase the likelihood of a data breach.

What is the data breach risk to the retail industry?

In November, one report indicated that retail ranked second-to-last for application security when compared with other industries. The Thale’s 2018 retail cybersecurity report provided some disturbing statistics for retailers:

  • 50% of retailers said they had experienced a data breach
  • 84% of respondents planned to increase their spending for IT security
  • 85% of IT security professionals in retailers worked for companies storing sensitive data in the cloud

Problematically, the new technologies retailers use often lack security controls or come with inherent security risks. No standardized framework for addressing IoT cybersecurity currently exists. Meanwhile, the cloud remains an inherently risky location.

Unfortunately, establishing modernized IT infrastructures to provide new customer engagements requires retailers to move beyond traditional compliance and embrace security first cybersecurity strategies.

What is the supply chain retail risk?

The retail industry sits in the middle of two supply chains, both of which can compromise information.

The Business Supply Chain

The retail industry incorporates merchants and retailers. Merchants sell wholesale goods while retailers sell to individual customers.

At the top of the supply chain sit the manufacturers, who sell to the merchants. Merchants then sell to retailers. Retailers then sell to individuals.

Each stop on the supply chain incorporates information sharing and IT risk. If the manufacturer’s customer database experiences unauthorized access, then the merchant’s information is at risk. If the cybercriminals obtain email addresses linked to the merchant, they can use tools to guess at potential passwords which can lead to compromising the merchant’s database.

The merchant’s breach now places the retailer’s databases at risk because cybercriminals may be able to use their tools to access the retailer’s software, systems, and networks. A data breach at this level places the customers at risk.

The Digital Supply Chain

Embedded within the business supply chain is the digital supply chain. The risks in the business supply chain arise from digital integrations. However, in the same way that the business flows downstream, so do the digital products.

For example, a retailer may set up shop on AWS. That shop then includes integrations within the IaaS environment enabling SaaS payment and inventory applications. The IaaS and SaaS are both third-party vendors who increase data breach risk.

To build the SaaS application, the developers use a PaaS environment.  The retailer’s third-party vendor has a third-party vendor. Now, the retailer needs to worry about the risk this fourth-party vendor brings to the ecosystem.

If cybercriminals gain unauthorized access to the DevOps environment, then the SaaS vendor is no longer secure. This lack of security then travels back upstream and creates a data breach risk for the retailer.

Why retail needs to embrace security first

The first step to securing customer and corporate information lies in creating a risk management program based on securing data, not on checking off boxes on a compliance list.

Identify and Assess

To begin, retailers need to identify and assess their cybersecurity risks. Although some risks are apparent, many others are invisible. For example, using IoT increases the likelihood that a malicious actor can engage in a man-in-the-middle (MitM) attack. Many IoT devices use Bluetooth connections which are basically short-range radio connections. Since the connections don’t have encryption, a cybercriminal can “eavesdrop” on the data or use the device to obtain access to systems.


After identifying the risks and assessing them, retailers need to analyze the risks. High-risk information located on devices that are more likely to experience a data breach need to stronger security controls.  For example cardholder data, stored, accessed, or processed on a mobile device application requires greater security.


After finding ways to secure the information, retailers need to monitor and document their controls’ effectiveness continuously. Since cybercriminals continually evolve their attack methodologies, effective controls today may not protect a business tomorrow.

Respond and Remediate

Finally, retailers need to create a response and remediation strategy. Continuous monitoring processes may alert a retailer to a problem that needs remediation to prevent a data incident.

Establish Vendor Risk Management Program

Finally, mitigating risk across the business and digital supply chains requires engaging in creating a vendor risk management program that identifies, assesses, analyzes, mitigates, and monitors vendor risk.

How ZenGRC eases retail risk mitigation

ZenGRC’s System-of-Record makes collecting audit information easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, but it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.