Fashioning a cyber strategy for retail

Creating a security culture that spans an entire organisation, from the board members to on-the-ground workers, involves impressing upon employees some of the everyday threats they face.

That’s the view of Dorian Skeete, now one year into his role heading up cyber security at burgeoning e-commerce brand Boohoo.

When Skeete is evangelising the importance of security, employees often remind him “it’s not like we are a bank or anything” to which the cyber chief likes to reel off some key stats.

Top nuggets include: Over 24% of cyber attacks now target retailers; 44% of retail organisations have been hit by ransomware attackers and 32% of those retailers paid up.

And in terms of consumer confidence, a sizeable chunk – 25% of customers – believe that their data is not safe with retailers. “Which is quite telling,” he adds.

To further enforce risks to security, Skeete also might share examples of breaches that have happened in other businesses.

Recent examples he cites have included the January 2023 attack on The Royal Mail; The Guardian newspaper ransomware attack that locked staff out of their systems for some time and the $1.9m fine slapped on its US retail rival Shein, after failing to disclose a data breach last year.

“All these examples enforce that risks to security are still out there and still important, we still need to take them seriously,” Skeete says.

On top of these general threats to retail, there are also specific threats to Boohoo that Skeete says he was conscious of on joining, relating to the accusations of greenwashing and reports of poor labour conditions in the warehouses that the firm uses, which could make them subject to attacks by hacktivists.

“That does make Boohoo a target, not just from a commercial perspective, but from people who think they are fighting a good fight by taking our business down – that’s something we have to worry about and it’s one of the pieces of work relating to threat intelligence streams that I want to get going in the next year,” he says.

“We’ve also been making huge strides to increase sustainability in terms of where we source our clothing from and staff employed in distribution centres, making sure they are being treated fairly,” he adds.

Security culture

How enterprises can build up security culture in a way that is affordable, sustainable and long lasting was a key plank of Skeete’s session at DTX Manchester this year.

“I don’t really know the answer to that question yet,” he opened to delegates, “but I can share with you how I’m going about it,” he said.

“There are specific structures you can build to grow that culture and it’s a marathon not a sprint – it’s not going to happen tomorrow, and Boohoo is still on that journey,” he added.

One measure firms can take, Skeete suggested, was to build up a good InfoSec team. “Our team is lean but multidisciplined, multiskilled, diverse and most importantly hungry for Infosec in general and to learn more and to apply that to what they are doing day to day.”

The diversity element of this is key, he later added, because it brings something extra to the business “whether it’s different ideas or different ways of doing things.”

Ongoing training is also important, says Skeete. “Good security habits are like muscle memory they need to be harnessed and used as regularly as possible.”

The infosec head added that it was important for security leaders to differentiate between training and learning: it’s one thing completing a module, another applying these key learnings to ‘real life’ situations.

“Training is just an activity, and it needs to be built onto demonstrate true learning.  So, you need to test that understanding at various periods along the way and you need to see people on your team apply that to achieve better security behaviours and outcomes,” he says.

A key part of building up this culture outside the security and IT departments is to nurture relationships with stakeholders in other areas of the businesses, identifying key allies, Skeete added.

“Who can help you get stuff done? Can you create security champions around the business? Who might be doing your security cheerleading already and you don’t yet know it?”

Skeete also suggests building a security brand out of the business by actively promoting what the team is doing to other departments.

“Has a member of your team recently completed a certification? Shout about it. Are you implementing a new platform, policy or process that is going to help the business be safer? Shout about it,” he advises.

C-Suite buy-in

Skeete himself has a lot to shout about. The IT security head and his fledgling team have received the full backing of the board to implement a cyber security strategy – no mean feat considering the Boohoo label covers 13 brands, many of which were acquired in the last five years.

How did he persuade the C-suite to get on board with his plans? TechInformed asked him after the session.

“The million-pound question! Most important of all is that you need to make sure you’re all speaking the same language. Quantify infosec risk into a business risk they understand. Involve them as much as you can, almost “over-communicate”. Take them on the journey with you,” he says.

On a structural level, he adds that the setting up of an infosec governing structure also helped.  “This isn’t reinventing the wheel – other organisations have done this – but I set up a higher-level information security group with my CTO, my CFO etc. And beneath that are two working parties – we set up two because one of our companies Pretty Little Things, sits on a different tech stack.

“That governing structure keeps me honest, the team honest and the strategy alive,” he says.

He reveals that one key piece of work the board-level Infosec group is currently working on is an incident response round table, which has been put together by an external security consultant to help them respond to a cyber attack.

Consolidation

In the immediate future, Skeete says the biggest piece of strategy implementation is around the consolidation and tooling of the online retailer’s 13 brands.

“Consolidation is a huge, ongoing theme for Boohoo. We have three different tech stacks – and as such that brings complexity,” he acknowledges.

“One of my first challenges has been to simplify this security complexity. Not only did it make operational sense to do so, but it also made commercial sense to do so – there were savings to be had.

“Why pay for three different platforms that overlap in terms of capability when you might be able to have just one? Where there’s a possibility for one complete vendor to cover your estate then why not explore that?”

Fortunately for Skeete, the fact that 11 of the brands sit on the same stack makes it easier and from an IT perspective. He adds that Boohoo also doesn’t see itself as 13 different companies as they all sit on the same OT and IT architecture.

“We also have a methodology that stays true to our existing tech stack, which helps remove some of the traditional complexity around ingestion of a new company’s infrastructure,” he tells TechInformed.

“For instance, an anti-malware vendor that has mature capability across Windows, Linux and Mac, instead of just Windows.

“Then you have a few vendors who are multi-disciplined, who can do XDR and Anti-Malware, or Vulnerability & Patch Management – these kinds of vendors help with tooling consolidation and reducing technical complexity. However, the need for true “defence in depth” and control resiliency remain key to security.”

Future projects for Skeete and his team – also connected to simplifying and consolidating, are ways of getting rid of passwords and replacing them with other verification tools.

“It’s something that we’re still scoping with our third-party partners,” he says.

“As you can imagine, it’s quite a technical and culture shift, so we have to put the work into getting it right, which means a lot of time getting the requirements and scope just right; while communicating with our users at the right time,” he adds.