top of page

Retail – what is the cyber risk associated with remote workers?

The first step in dealing with your organisation’s cyber security is embracing the fact that you are in fact at risk in the first place.


Photo of person sending items from home online shop

With 5.5 million suspicious e-mail reports in the UK alone last year – where a high number were almost certainly linked to attempted network breaches and ransomware - it is clear to see the scale of the problem. And whilst the high-profile attack on Tesco on October 2021 is the sort of attack that the media promote, it remains the case that smaller retail businesses are more frequently targeted.


The impact on a small food producer losing its data may not just be detrimental – Tesco may have lost over £50 million in lost sales and revenue as a result of the attack - it can close them down for good.


What are the main risks associated with homeworkers?

Working from home during the COVID-19 lockdown was vital for many organisations within the sector to continue delivering services to those in need. But there’s no doubt that your home computer, or a laptop borrowed from the office, is less secure than one running in your workplace under the watchful eye of dedicated IT staff.


Phishing emails

Employees working remotely can be the largest threat to the security of your network. If they unknowingly follow poor cyber security practices, they might end up giving cybercriminals and hackers access to the network and sensitive data of the company.

Example of phishing email and identifiers - from Surfshark

Commonly, the hacker will send an email to trick the victim to login to a malicious website that looks exactly like the original website. Once the victim enters the required information, the attacker uses it to hack into an account and carry out identity fraud or steal more sensitive information. The phishing emails may look like from a person or organization you trust. It may be from a social media site, credit card company, streaming app, bank, or even a work colleague or supervisor.


Password Theft

Even when an organization uses firewalls, VPNs, and other cybersecurity software for protecting remote work, human error might come into play when employees safeguard the account using weak passwords.

Hackers can exploit human error to get past sophisticated security software. This is the reason they will try to crack the account passwords for accessing sensitive details. You won’t believe it, but twenty-three million people still use the password 123456.


Cybercriminals use different measures for cracking passwords. Often, the hackers design codes to crack a password by trying out various variants. Repeat password is another insecure practice that hackers try to exploit. As soon as the hackers crack the password to an account, they will try accessing other accounts with the same password. Employees repeating their passwords on various applications are at a higher risk of having their accounts hacked. This is particularly true for employees who use the same passwords across personal and work networks.


File Sharing

While companies might think of encrypting data that is stored on the corporate network, they might not consider encrypting data when it is in transit from one location to the other. This might result in employees sharing or remotely accessing sensitive details on a regular basis that the company is unable to secure from being intercepted by a hacker.


Personal Devices

Employees often don’t encrypt their own personal devices. Nevertheless, if work is conducted on personal mobile phones, such as logins or phone calls to business accounts, this may cause data breaches.

Photo of devices in home situation

Some businesses provide their employees with work computers to remotely access the files and information. However, others allow remote employees to work on personal computers. This approach might leave company data at risk.


Default Router Settings

Criminals may exploit the fact that a router password is still on its default setting. Change or update Router and Wi-Fi passwords as part of the working from home process for all staff. Use your web browser to log on to your router (often using the address 192.168.0.1 or 192.168.1.1), find the option to change the router password, and choose something difficult to guess. Also, configure your Wi-Fi to use WPA or WPA2 encryption and to set a strong password with a minimum of 13 characters.


Vulnerable Operating System

Cyber criminals often exploit known vulnerabilities in computer operating system to hack into the system before the operating system is updated to remove the vulnerability. By setting Windows to install updates automatically as soon as they are available you reduce the window of opportunity for these cyber criminals.


Can you protect yourself from these attacks?

Yes, you can.

Here at the centre, we would advise a whole system or organisation approach to cybersecurity to maximise its effectiveness. That would include carrying out staff awareness sessions to make sure that staff know what to look for – to spot potential attacks, and to identify when an attack has been successfully carried out.


We would also recommend that organisations look at bringing in clear policies around cyber security so that all staff are aware of their responsibilities and what they should be doing to strengthen their remote working set-ups


The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.


What next?

Here at the centre, we would advise you to do three things now

  • Join our growing community by signing up to free core membership of the Eastern Cyber Resilience Centre. You will be supported through implementing the changes you need to make to protect your business and your customers.

  • Start working towards achieving Cyber Essentials accreditation. Even if you don't get the accredition, by implementing the controls recommended will fully or partially mitigate over 99% of common cyber attacks. If you're not sure where to start, our free Little Steps course is designed to break these concepts down into bite-sized copncepts with practical implementation ideas.

  • We would also recommend that you speak to your Managed Service Provider and / or website company (if you have one) to discuss how they can implement cyber resilience measures on your behalf.


Reporting a live cyber-attack 24/7

​If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing ​


Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.


Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).


Action Fraud logo


Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page