ASX 200 report reveals cybersecurity risks in retail sector

A new report from UpGuard reveals significant cybersecurity vulnerabilities in Australia's ASX 200 Consumer Discretionary sector as holiday shopping approaches, exposing several top companies to increased breach risks.

The report, 2024 ASX 200 Security Report, highlights the sector's lack of preparedness, ranking it as the second-worst performing for cybersecurity among the listed companies in Australia. Notable companies like JB Hi-Fi, Webjet, Super Retail Group, and Lovisa have been identified as facing higher risks.

UpGuard, which provides cybersecurity ratings and risk management, has identified that the overall resilience among Australia's top listed companies is improving, with average security scores rising from 759 in 2023 to 773 in 2024. However, vulnerabilities remain prevalent in crucial sectors including Healthcare and Utilities.

Greg Pollock, UpGuard's Head of Research and Insights, noted, "Email and website scores in the retail sector are below 700, well below the threshold for protecting consumers. While the issues are fixable, shoppers need to be cautious when engaging with underperforming companies online."

The report identifies that 100% of companies in the Consumer Discretionary sector showed website vulnerabilities, with a worrying decline in encryption standards by 19 points since 2023. Webjet was highlighted as the worst-performing company on the ASX 200, while JB Hi-Fi, despite improvements, remains in the bottom half for security.

Materials, Communication Services, and Real Estate sectors made notable progress, achieving gains of over 30 points. Conversely, the Energy and Consumer Discretionary sectors dropped by 12 and 14 points respectively. The data also indicates that 46% of ASX 200 companies lack DMARC policies, leaving them vulnerable to phishing attacks.

Pollock remarked, "Many organisations still lack fundamental protections in critical areas like their supply chain and email ecosystems, despite high-profile breaches such as Optus, Latitude Financial, and Medibank in recent years." This underscores the potential threats to businesses and consumer trust due to phishing and data access vulnerabilities.

Nine of the top 10 most common risks to ASX 200 companies involve website security, with issues such as expired or invalid certificates affecting almost 24% of companies, and 50% relying on weak encryption methods. Network vulnerabilities like open FTP ports were also noted, which pose critical risks.

Despite challenges, some companies have shown strong performances. Coles ranked second overall on the ASX 200, while Woolworths improved by 115 points, crossing the 800-point benchmark along with Metcash and Endeavour.

The report recommends several measures for companies to improve their cybersecurity stance, including improved encryption practices, regular updates to encryption standards, and enhanced phishing protections by setting up SPF, DKIM, and properly configuring DMARC policies. User education through regular phishing training is also advised to mitigate these risks.

Pollock emphasised the importance of resilience and preparedness in the digital landscape, stating, "As some of the largest companies in Australia, members of the ASX 200 have a responsibility to maintain robust cybersecurity standards, particularly firms that are critical to the Australian way of life and the health of the economy at large."