Cyber security threat: C-Stores need to be more careful

Any loss of customer data can have long-term consequences leading to mistrust of an organisation and, therefore, loss of customers and sales.

iStock Image

With the growing demand for the fast and seamless retail service, there has been a rapid increase in cybercrime. The recent incidents of cyber-attack at KP snacks and the SPAR hack that happened last December has set an alarm to look at cyber security threats more seriously. Nowadays, many c-stores are using delivery apps and some are also planning to come up with their own app, so we spoke to retailers to understand what measures they are taking to protect themselves from cyber-attacks.

Imtiyaz Mamode of Premier Wynch Lane says, “Nowadays, the world is a cyber world and we live in a digital world. So cyber crimes are ongoing like data hacking and hacking off an account. This is a big issue everywhere in the world. So that’s the hardest to handle, someone’s data, today.”

“Knowing this we try to take care of this by doing small things like- when we do a transaction, we destroy customer’s receipt after three months.”

Mos Patel, who runs two stores in Greater Manchester, uses the same method to protect the customers’ details.

“Hackers are anyways going to hack it if they want to, we can’t do anything about it. We are a small business. We don’t have that much money to build a secure infrastructure against it. So, what we do, whatever credit details we get while transaction we shred everything, we destroy it,” he says.

Mos Patel

“We update our laptops regularly, and disconnect them physically, the system is managed by third parties, so obviously, it’s not in our hands. Regarding the app, we use other platforms like UberEat, Deliveroo, and we expect them to manage their sections.”

Both Imitiyaz and Mos are working on developing their own app for their stores.

Mos says, “We are going to have our app and probably we are looking for some local business to manage [it] for us. I think a lot of retailers have realised that they have to rely on other people because we’ve not got a lot of knowledge on it.”

Imtiyaz, an IT engineer by training, used to work with Imperial College London before getting into the retail business. To maintain customers’ trust in his store, he is in the process of building his own app. He says the idea kicked in when he was approached by Deliveroo.

“I liked their concept of an extra service and there will be extra income for the store. But there was a problem, they wanted me to increase the price of the products. For example, the product, which I sold for £10, they wanted me to sell for £14 online.”

Imtiyaz Mamode

He adds, “Most of the products in our stores are price-marked, and they wanted me to sell on extra price. And they said everyone does it, and all the store with an extra price, because you’re trying to add extra service to your shop. I said I don’t want to do it because it’s like our customers trust us a lot. And if I’m trying to put in extra money, it will break their trust. And we are well-known store in our local area and everywhere. So, it will be a breach of trust for us and customers.”

Imtiyaz is working on the development of apps that will focus only on the local area or the rest of Hampshire. “We don’t want to go for the entire UK. I don’t want to provide service on a bigger scale at the moment, because I don’t have more manpower. So, I’m planning to an app that will cover only local area,” he says.

Speaking on the cyber security threat, he says, “Yes, cyber security is a challenge and we are planning to view the third party like Barclaycard, or others which are already been bigger company, which usually deals with this kind of trust. So, we will kind of merge or use third-party software, which will be merged with our application. So that all the money or card transactions are done will be done by third party only, which are more secure.”

Both Imtiyaz and Mos believe that building an entirely secure system in his app will cost him more money and it’s better to tie-up with a third party.

Imtiyaz adds, “In spite of spending money on that, in the beginning, we thought of giving it to a third party. Because in the beginning, we don’t know how many difficulties we might have, in the app, there can be a glitch, can be the flow of hundreds of customers or thousands of customers or a lot of traffic on our app that can crash the app as well. So, in the beginning, we thought to give it to a third party, which already have better security, like a Barclaycard, they got really good security, as far I know. So hopefully we planning to do that, in spite of building our own cyber security.”

Jonathan Wood, C2 Cyber

Measures to prevent cyber-attacks

There have been rising trends in the convenience sector of introducing shoppers to delivery apps, self-checkout tills, and card payment machines to name but a few, while simultaneously gaining data and visibility of its customers’ shopping habits.  This insight, while useful for single and multi-site convenience stores, poses a very real risk when it comes to potential cyber threats. Asian Trader has also reached out to Jonathan Wood, founder and chief executive of C2 Cyber, a vendor risk management company, to understand what are the reasons behind cyber-attacks and what needs to be done if you have been a victim of it.

“If hacked, access can be gained to a world of sensitive data such as customers’ card details and a store’s inventory,” he explains.  “Convenience store owners must ensure there is a vendor risk management process in place to prevent the likes of a recent breach of the SPAR chain’s EPOS systems from repeating itself. Any loss of customer data can have long term consequences leading to mistrust of an organisation and, therefore, loss of customers and sales.”

He adds, “However, quite frequently cyber-attacks happen due to simple negligence such as the use of easy-to-crack passwords, no two-factor authentication, or accessing work emails and systems through a public WiFi. All these issues can be prevented by having clear work policies, password managers, and due diligence. All third parties should also have appropriate Privacy Policies that indicate how they handle partners and customer data. And, of course, always beware of phishing emails by checking the email addresses of the sender and the body copy for any inconsistency in a tone of voice or obvious spelling mistakes.”

If you have been a victim of a cyberattack, first thing to do is to identify the channel that was used to hack your business and take appropriate measures, Jonathan suggests.

“Change all passwords, or use a password manager that generates strong passwords for you. Use backups either in the cloud or on separate hard drives, making sure they are also password-protected, and preferably not using the same passwords for multiple accounts,” he adds.

If there was a breach of employee or client data, one must inform the national data regulator, ICO within 72 hours of the breach taking place. “If the hack poses a threat to the privacy and rights of individuals, you must inform all parties affected too to ensure they take appropriate steps to protect their data,” he explains.

“If the hack happened through the third party, make sure to enquire what steps have been taken to prevent these attacks from happening in the future. Customers are more likely to trust your business if they see you taking cyber security and data privacy seriously,” he concludes.