Fashion brands have been warned to step up cybersecurity as the industry becomes digitalised and Russian hackers pose an increased risk. Sarah Gibbons reports.
While digitalisation brings enhanced sustainability, reduced waste, stricter inventory management, personalised designs, smart wearable tech garments, AI-enabled virtual fittings and integrated supply chains, increasing online data offers bad actors additional attack vectors, says US-based cyber exposure management company Tenable.
“Today, data is the most valuable asset for fashion businesses,” explains Scott McKinnel, the Australia and New Zealand country manager for the Australia-based iTWire tech platform. He continues: “The idea of data security for the fashion vertical has expanded beyond the traditional safeguarding of designs and patterns to include valuable information regarding customer demographics and shopping habits. The main security threat comes from industrial espionage — competitors trying to obtain classified information stealthily.”
Common mergers and acquisitions pose “a significant challenge for the fashion industry” when it comes to systems’ security, he says, as multiple technical environments are merged, making it difficult to ensure all data is properly integrated and secured.
Additionally, supply chain attacks target vulnerable third-party suppliers or vendors to gain access to a target organisation’s systems and data, he warns, explaining hackers will target sensitive information, such as customer data and financial information and brand intellectual property.
“As with any industry, money and attention are two lures for any fraudster, meaning that whatever moves money or draws attention is a target for fraudsters,” cybersecurity analyst Bill Bonney, from California, US, tells Just Style as he outlines online risks to the industry: “Fashion has an abundance of both. Most know bad actors are after our money. But we live in an attention economy, and we need to think of the attention we generate as valuable as well. It is valuable in and of itself – and it is valuable as a back door to direct theft. Attention leads to clicks and clicks lead to money.”
If personal data is compromised, this results in loss of confidence in the brand and will damage brand reputations, cybersecurity consultant and penetration tester Hayley Woodhouse, from Dudley, UK, tells Just Style: “There are so many ever-growing attacks on web applications and companies should ensure that penetration testing is performed on a regular basis, to identify potential web vulnerabilities.”
In January 2023, UK-based fashion retailer JD Sports, admitted personal and financial information of 10 million customers had potentially been accessed by hackers in a cyberattack affecting online orders made by customers between November 2018 and October 2020.
But it is Russia’s invasion of Ukraine that presents “perhaps the most acute cyber risk the US and western corporations have ever faced,” warns intelligence experts from the Belfer Center at the Harvard Kennedy School in a Harvard Business Review article released in February 2022, as Russia readied its military for an unprovoked attack.
“Take out your pen knife and poke under the crisis response paint,” the Harvard specialists advise any major company considering urgent geopolitical threats: “Ask: ‘If my IT systems go down, how am I going to track my inventory, manage my accounts, or communicate with my offices and plants?’”
The organisation urges companies to share details of any “anomalous or malicious cyber activity” with law enforcement and other local partners “for greater awareness to help build a collective defence”, and calls on brands to “instil a security mindset in employees, enabling multifactor authentication for data access, ensuring passwords are strong, remembering that phishing remains the number one attack vector, even for sophisticated adversaries.
Good cybersecurity hygiene is the best defence against any ramping up of threats. Examples for risk from online customer trends include, among others, “social shopping”, where hackers could try targeting fashion companies networks through employees’ social media accounts signed in on fashion company devices (e.g., through phishing and spear-phishing), a spokesman for US-based business analyst firm McKinsey tells Just Style. “Employees should be trained on how to spot phishing attempts on social media,” she adds.
Brands that refuse to embrace digitisation “will soon become technologically and culturally irrelevant,” suggests a blog by fashion design platform Seamly that was published in September 2022. As a result, it is vital that cybersecurity is invested sustainably for the long term not as a “last minute bolt on,” warns the Harvard Business Review article.
Woodhouse says this is needed and stresses: “Some fashion companies consider cybersecurity strategies as an additional expense that they do not need. However, not having an effective cyber strategy in place and regular monitoring is way more costly, from financial aspects to brand reputation and damaged consumer confidence.”
More fashion houses are now partnering with an operational technology (OT) security company, explains a blog on fast and luxury fashion ecommerce platform, Blufashion.com: “These partnerships must be with reliable cybersecurity experts. The reason for this is not far-fetched. No matter how much cybersecurity defence you put up, there will always be a smart hacker building up better ways to penetrate it.”
Internal measures can also include implementing blockchain technology to ensure immutable data storage to prevent illicit leaking of information to curb counterfeiting and the use of ethical hacking to check the validity of cybersecurity solutions in place, cybersecurity insiders indicate on the Blufashion site and technology platform Techpacker.
Commercial technological solutions are widely available. For example, US-based OT security system Industrial Defender, which Blufashion says enhances IT/OT collaboration across various systems and sites, is crucial in the garment industry where customer data is routinely shared with third parties in different jurisdictions and means different data and privacy laws may apply. “This often creates leeway for attacks,” the blog warns.And as an August 2022 market report on Cybersecurity in Retail and Apparel from Just Style’s owner GlobalData explains: “Retail companies are high-profile and contain a goldmine of consumer personal and financial information, which will be attractive to hackers,” so urgent implementation of appropriate defence systems is vital.