This article first appeared in The State of Fashion 2022, an in-depth report on the global fashion industry, co-published by BoF and McKinsey & Company. To learn more and download a copy of the report, click here.

Cyber attacks and data breaches are among the top risks for fashion companies, their customers and the wider economy. The theft of corporate, customer and employee data or funds can reverse years of hard work, undermine relationships and have a significant impact on reputation and performance.

The number of cyber incidents — including attempts to gain illegal access to a system, network, infrastructure or device for the purpose of causing damage or harm — is rising fast. Publicly reported US data breaches were up 38 percent in the second quarter of 2021 compared with the first quarter, and breaches in the first half of the year alone reached 76 percent of the total reported in 2020.

Cyber security risks exist across a range of fashion industry processes, from digital design and data analytics to online transactions and supply chain operations. Many back-office systems have only recently been digitised, meaning they present a potential point of weakness for fashion leaders and security teams who had not previously been required to identify, assess and mitigate potential risks in those areas. Indeed, shifting ways of working create constant challenges, requiring flexible decision-making muscle and continuous re-invention of defences. There are two recent evolutions in fashion industry practices that have increased cyber vulnerabilities.

The first is a movement toward more agile ways of working. New products and services are increasingly developed and brought to market through fast-paced iterations using agile methods, where rapid timelines often do not allow for rigorous risk checks. Security teams must be involved early in the development process and embedded into the full digital lifecycles of new products and services. The second is the ongoing evolution of technologies. Increasing use of cloud computing, artificial intelligence and machine learning is exposing companies to more cyber risks by widening the scope for attack. Security teams must be innovative in finding ways to apply common security patterns and methods to new technologies.

Cyber risk is on a long-term upward trend that accelerated during the Covid-19 pandemic, partially as a result of widespread adoption of work-from-home patterns and technologies and soaring demand for e-commerce. Indeed, online retail has been one of the most attacked sectors over the past year, accounting for 10.2 percent of all attacks across industries. Given the growing frequency and severity of incidents, regulators are requiring businesses to protect themselves, their partners and their customers, and punishing those that fail to do so. Europe’s General Data Protection Regulation (GDPR) imposes fines for non-compliance of as much as 4 percent of a company’s global annual revenues.

A challenge for companies looking to invest in cyber defences is that the cost of initiating an attack is significantly lower than that of protection. This creates an asymmetric battlefield in which hackers, companies, state-sponsored agencies and other perpetrators can enter systems with relative ease. Moreover, for victims, the cost of being attacked continues to rise. The average cost of a data breach rose by nearly 10 percent year on year in 2021 to $4.24 million, the largest single annual increase in seven years, according to IBM’s Annual Cost of Data Breach Report 2021. In addition, the longer that systems remain compromised the more the costs mount.

Across industries, corporate approaches to cyber security are maturing, with companies acquiring new capabilities and bolstering their resilience. Banking and healthcare are among the most mature industries when it comes to cyber resilience, while fashion has a long way to catch up. In response, fashion decision-makers need to adopt a dual mindset, reconciling short-term needs created by the pandemic with the longer-term demands of the digital economy. To increase resilience, security should be embedded into products and processes, while customers, partners, third parties and regulators should also be incorporated into enterprise-resilience management.

The rewards of doing so are clear for decision-makers: there is a direct relationship between cyber resilience and business performance. According to a recent McKinsey survey, higher cyber security maturity correlates with better margins, so the payoff from strong risk management extends beyond security.

A successful roll out of improved cyber capabilities should be predicated on action across five key areas:

Identify the playing field and risk environment.

Cyber security leaders should focus on identifying relevant cyber risks (including potential “black swan” events) across their value chains. That starts with understanding legal and regulatory ground rules, and moving to a risk-based approach. This recognises that not all assets are created equal, and not all can be equally protected. It is vital for business leaders to take a global view of both the company’s operations and its supply chains, and to communicate cyber security requirements to suppliers and third parties. Insurance against cyber attacks is an option, but it is worth reading the small print; there are likely to be areas of risk that are not covered, and market conditions are changing rapidly.

Build capabilities to prevent cyber attacks.

Rules and standards should be developed (such as acceptable use policies for email and anti-phishing guidelines) and technical prevention measures should be deployed across systems, including data encryption and next-generation firewalls. While some systems may need an extra level of protection, a general baseline is essential, such as keeping software up to date and regularly scanning systems for vulnerabilities. Where the cyber risk extends to production and manufacturing systems or other connected devices, measures should be expanded into those areas, too.

Reinforce the ability to detect and respond to cyber attacks.

The traditional focus of cyber security has been on prevention, but the spotlight is now moving towards detection and response, acknowledging that attackers will inevitably succeed in breaching systems. Internally, that means closely monitoring systems and applications, as well as encouraging employees to report suspicious activities. Customers, partners and third parties should be fully incorporated into both detection and response measures. Externally, businesses should keep a close eye on cyber threat intelligence and be on constant alert, even if their own mechanisms have not yet triggered an alarm.

Clarify responsibilities across the business.

Clear roles and responsibilities are vital to cyber resilience. Companies need to define what “good” looks like, who owns which part of cyber security and how relevant capabilities and skills should be developed. It is essential for the company’s front line personnel and anyone who is not an IT or security professional to understand their role in identifying and mitigating cyber risk, and to know what level of support they can rely on. Some companies have created the role of chief information security officer (CISO), an executive who defines and leads the overarching approach to cyber security, establishes central cyber security capabilities and helps to build capabilities across the business. While companies will need to build in-house capabilities in certain areas, they can also consider external support.

Simulate the worst case and build muscle memory.

Leading organisations test their plans and prepare for the worst by carrying out attack simulations. The aim is to assess decision-making, ensure clarity of roles and responsibilities, including decision-making power, and identify weaknesses. This enables companies to develop an effective response mechanism and improve upon their reaction speed in the event of a real attack.

Companies that lead in cyber security are defined by their outstanding performance in several key areas, including maintaining a low “click rate” in employee phishing programmes; regularly revisiting and updating cyber security priorities; deploying solutions for managing applications; scanning the IT environment for vulnerabilities; and sourcing intelligence on threats. As an overarching principle, senior managers should incorporate cyber risk into all decision-making. In this way, they will get on the front foot and ensure the organisation’s defences are as resilient as possible.

The author of this article focuses on cyber security strategy and transformation at McKinsey. This article draws on a larger body of research on cyber security. The latest report in this series is Organizational Cyber Maturity: A Survey of Industries.