60 percent of Retail Organizations in Asia Pacific Delay Digital Transformation Progress Due to Cybersecurity Concerns A Frost & Sullivan study commissioned by Microsoft uncovered that three out of five (60%) retail organizations in Asia Pacific are slowing down the progress of digital transformation projects due to the fear of cyberattacks. Cybersecurity concerns among retail organizations are well-established as a cyberattack can cost a large retail organization an average of US$18.7 million in direct and indirect economic loss. Customer churn is the largest economic consequence of a cyberattack for retail organizations resulting in US$16.9 million of indirect cost. For mid-sized retail organizations, the average economic loss due to a cybersecurity incident was US$47,000 per organization. The study further revealed that almost three out of four (73%) cybersecurity attacks against retail organizations over the last 12 months have resulted in job losses across different functions. These findings are part of the “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” study and aims to provide business and IT decision makers in the retail sector with insights on the economic cost of cybersecurity breaches and to help to identify any gaps in their cybersecurity strategies. The initial study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organizations (250 to 499 employees) to large-sized organizations (>than 500 employees), and 10% of these respondents are from the retail industry. To calculate the true cost of cyberattacks, Frost & Sullivan created an economic loss model based on insights shared by the survey respondents. This model factors in two kinds of losses which could result from a cybersecurity breach: • Direct: Financial losses associated with a cybersecurity incident – this includes loss of productivity, fines, remediation cost, etc; and • Indirect: The opportunity cost to the organization such as customer churn due to reputational damage. A breakdown of the average direct and indirect economic cost that a large retail organization can incur due to a cybersecurity incident. “Trust is especially critical for retail organizations today as brand loyalty continues to erode in the digital era. If retail organizations do not have the reputation of being capable of protecting their customers’ personal information and financial data, consumers will switch to another option in this hyper-competitive landscape,” said Kenny Yeo, Industry Principal, Cyber Security, Frost & Sullivan. “This is why retail organizations have the highest customer churn after a cybersecurity incident, compared to other vertical industries.” Complex Cybersecurity Environment Impeding Retail Organizations’ Ability to Address Key Cyberthreats Despite knowing the high economic cost and reputational damage they may incur, retail organizations continue to remain vulnerable. The study revealed that more than half (56%) of the retail organizations in Asia Pacific surveyed have either experienced a security incident (27%) or are not sure if they have had a security incident as they have not checked (29%). For retail organizations that have encountered a security incident, the respondents highlighted that web defacements, data exfiltration and ransomware are their biggest concerns as these threats have the highest impact to the business and they often result in the slowest recovery time: • Web defacements are a unique threat that retail organizations faced as they increasingly rely on their digital presence to engage customers. Through web defacement, attackers can disrupt this vital customer channel while negatively shaping the consumers’ perception of the brand; and • Ransomware has the most severe impact on retail organizations as financially – motivated cybercriminals illicitly encrypt files to restrict or stop users from accessing them, forcing organizations to pay a ransom. Retail organizations will not only lose time and resources in dealing with the aftermath of a ransomware attack, but the experience they provide to their customers will also be negatively impacted, resulting in customer churn. The study also revealed that the complexity of managing a large portfolio of cybersecurity solutions may undermine retail organizations’ ability to protect themselves from these key cyberthreats and recover quickly after a cybersecurity incident: • The study found that 43% of retail organizations with more than 50 cybersecurity solutions encountered a security incident in the last 12 months, which is almost double of 22% of retail organizations with less than 10 cybersecurity solutions; and • Contrary to the common notion of more security solutions equals greater efficiency, 41% of retail organizations with fewer than 10 cybersecurity solutions were able to recover from cyber incidents within one hour, compared to only 14% organizations with more than 50 solutions. Gaps in Retail Organizations’ Attitude and Approaches Towards Cybersecurity Although digital platforms are now an integral part of many processes within a retail organization – from customer engagement to tracking transactions to operations – the study uncovered that many retail organizations in Asia Pacific still maintain an archaic approach to cybersecurity: • Fear of cyberattacks derailing digital transformation progress: More than three out of five (60%) of the business and IT leaders in the retail sector have indicated that cybersecurity concerns have impeded their organizations’ digital transformation plans. This can impact their competitive advantage and miss out on significant opportunities in this region’s growing e-commerce space and digital economy. As retail organizations continue to digitally transform themselves, a strong security posture can lead to increased consumer trust as well as more customers and transactions. However, the majority of respondents (43%) from the retail industry saw their cybersecurity strategy as merely a means to safeguard their organizations against cyberattacks. Only one out of five (22%) sees cybersecurity as a business advantage and an enabler for digital transformation; and • Security as an afterthought: If retail organizations do not view cybersecurity as one of the cornerstones of digital transformation, it will undermine their ability to deliver a “secure-by-design” digital project, thereby leading to products and services with security vulnerabilities. The study revealed that only one out of four (26%) retail organizations that had fallen victim to a cyberattack considered having a cybersecurity strategy before the start of a digital transformation project. The remaining respondents stated that either security was an afterthought, or they did not take cybersecurity into consideration when designing their digital transformation projects. “Retail organizations are increasingly looking to deliver personal, seamless and differentiated customer experiences by empowering people, enabling digital transformation and capturing data-based insights to drive growth,” said Raj Raguneethan, Asia Lead, Retail and Consumer Industries, Microsoft. “Today cybercrime is a matter of when and not if. While data security and privacy are vital to any business, retail organizations and brands face enormous pressures and challenges with targeted cybercrime, complex supply chains, increasing compliance obligations and constant staff turnover. Given the impact of a cyberattack to the business and its reputation, it is even more critical for retail organizations to prioritize trust, transparency, standards conformance and regulatory compliance as key success factors while formulating their cybersecurity strategy.” Retail Organizations Using Artifical Intelligence to Bolster Cybersecurity Posture Artificial Intelligence (AI) is playing a critical role in shaping the future of the retail industry. From delivering a personalized shopping experience to generating actionable insights about the customers, AI will enable retail organizations to respond accurately and efficiently to customers’ expectations. Today, retail organizations are also turning to AI to safeguard themselves from cyberthreats. The study found that that three out of four (75%) retail organizations have either adopted or are considering an AI-based approach to complement their cybersecurity strategy. By rapidly analyzing vast quantities of data and providing actionable insights for cybersecurity professionals, AI-driven cybersecurity architecture enables organizations to accomplish tasks, such as identifying cyberattacks and removing persistent threats like ransomware, faster than any humans. This makes AI an imperative for retail organizations who are looking to protect their digital platforms and customers from cybercriminals.