IT security is suddenly on everyone’s lips.  High-profile hacks, cyber warfare, and DDoS attacks bringing down entire decentralised operations are now mainstream news.  And it’s not just the banks and big institutions; in a digital world, any business can be deemed a target. Hell, I was affected by the Marriott data breach, as I’m sure many of our readers will also have been – and it would have been inconceivable a couple of decades ago for someone to bother hacking into a hotel chain.

So companies of all shapes and sizes are now wrestling with new questions of risk and governance – even those who, historically, weren’t really dealing in data at all.  And while regulated industries are at the front of the conversation, even small businesses with a cloud solution here and there now need to take charge of their cybersecurity.

So by any metric, this is a discussion that the fashion industry needs to be having. But is it one we’re ready to have? Because “a cloud solution here and there” doesn’t even scratch the surface of the level of interconnectivity – and therefore exposure – that modern fashion has to information security risk.

Avenues of Attack

The simplest way to mentally audit your cybersecurity is to make a list of your most valuable data, and to consider how many avenues lead to it. For the fashion industry, this was once a fairly straightforward exercise:

  • Brands’ closest secrets were their sketches, patterns, and other design elements, as well as the sanctity of their name and identity.
  • Retailers’ most precious information was the identities and basic buying patterns of the people who shopped in their stores.

In both cases, the largest information security risk companies faced was from the competition, and the most likely way their data would be compromised was through what’s called social engineering – essentially tricking people into parting with information, or pilfering passwords.

Things have changed.

Today, brands and retailers’ most valuable asset is data, and it comes in far more varied forms – and from more sources – than ever before. Consider this:

  • In a world of fast fashion, new styles come and go so quickly that patterns, blocks, components and other elements no longer have the worth they once did. Finding out that the competition had copied your upcoming collection and beaten you to market would have been devastating under a seasonal model; it matters a lot less when your next assortment is just a couple of weeks around the corner.
  • Fast fashion’s edge lies instead in speed and responsiveness – both of which are intelligence-driven. Companies can bring products to market faster because they have unprecedented insights into their manufacturing processes, thanks to connected cutting, digital printing, and sewing hardware that fall under the umbrella of The Internet of Things (IoT). And the same companies know what styles to take to market because, rather than basic sales data, they hold what essentially amounts to psychological profiles of individual customers – allowing them to more accurately predict what will resonate.

This level of connectivity, coupled with the sheer depth and breadth of data that brands and retailers hold, means that fashion has simultaneously become a greater target, and also one with more avenues of access than ever before.

Designed to Last

It’s generally accepted that people and industries tend to adopt technologies before they truly understand their impacts – concerned that they will be left behind otherwise.  This has been true of many technology implementations – particularly the earliest ones, where budgets and timescales overran dramatically, and project teams were airlifted out of their day jobs for years – and it will doubtless become true of an equal number of both big data and Internet of Things strategies to come. We have already seen companies buying into the ideas of big data, artificial intelligence, and IoT without really considering their implications.

Our past attitudes are also extremely portable.  We bring over our biases and bad habits from one generation of technology to another very easily, which is why the IoT Security Foundation recommends a clean sheet approach, with three principles that they feel should govern any IoT strategy or product. All of these are also sensible advice for any technology investment you might be looking to make:

  • Security first – inbuilt from the start.
  • Fit for purpose – security that is appropriate for the application.
  • Resilience – security that lasts through the operating life of the product or application.

Interpretations of the second pillar will vary greatly depending on the individual application: an RFID authenticity programme, for instance, will be dramatically different in scope, scale, and cost than a multi-media marketing initiative or an industrial transformation through connected, automated machinery.  But provided these and everything in between are built with appropriate security considerations in mind from the outset, they should be safe in a live environment – at least at the time they launch.

The third principle, however, raises some difficult questions because of the differences in disposability between garments and footwear themselves, and the smart, connected platforms they might interact with.  Or, to put it another way, the consequences of a security breach at the product level and the platform level could be significantly different in terms of severity.

Once we, as an industry, roll out a technology like RFID or a new equivalent – for upstream or downstream tracking and tracing – it is likely to stay current for some time.  The investment required in chips, readers, beacons and other infrastructure across retail stores, logistics hubs, warehouses and so on will not be recouped quickly.  Which, by necessity, means that even if that technology is compromised, potential vulnerabilities may remain in the market for years or even decades if the identified holes cannot be cost-effectively plugged or patched.

In a market accustomed to short seasons and fast fashion, at the individual garment level the impact of these attack vectors is likely to be minimal.  But in a structural sense, when entire retail intelligence, warehousing, inventory management, and authenticity systems are built on a common footing, a crack in that foundation could have devastating effects.

Imagine, for example, if your public-facing commitment to transparency and sustainability relied on an RFID tracking system that had been compromised, why should consumers trust it? If your authenticity and certification system was hacked, would the different between counterfeit and original even matter any more? And all of this is before we consider the more mundane, but more damaging prospect that the incredibly granular data you hold on customer transactions, behavioural patterns, payment details, contact addresses, social media engagement patterns and so on could be stolen.

If that sounds far-fetched, take a cautionary example from the automotive industry .  Computer science researchers, who are luckily not hackers in the criminal sense, discovered a couple of years ago that eavesdropping on the radio communication between a single Volkswagen vehicle and its owner’s key fob allowed them to reverse-engineer the handshake the two perform and then clone the fob, enabling them to unlock the car remotely at any time.  This does not sound particularly major, I realise, but that’s because I haven’t told you the same cryptographic key that secured the car – and that was stolen – was also used in an estimated 100 million different Volkswagen-owned vehicles.  And that same key was stored in various internal components of the car, so it could not be remotely patched by the manufacturer.

While older cars – some dating back to 1995 are affected by the hack – are not IoT devices in the traditional sense, the same underlying technology is employed in a huge number of connected devices that do meet the criteria to be considered part of the Internet of Things.  So the automotive industry faced a single security hole that suddenly affected huge numbers of existing customers and could have been responsible for tens of millions in lost revenues if a recall was required – all because of a hacker with a $40 radio device.

This is also only the tip of the iceberg.  The Volkswagen group sued, in 2012, to keep a similar vulnerability – this time in the RFID transponder chip used in immobilisers across some VW, Audi, Porsche, Bentley, Fiat, Honda, Volvo, and Maserati models – out of the media.  That gag order expired in the summer of 2015, and it was subsequently shown that the hack allowed a criminal – a “bad actor” in hacker parlance – to override keyless ignition systems and start these models of car without the owner being present.

Newer models – produced since the discoveries – do not have these vulnerabilities, but the two combined nevertheless serve as a case study for the kind of perfect storm that might conceivably affect the fashion and retail industry.  These were large platforms, rolled out across multiple group brands, deployed in huge numbers of products owned by loyal customers, that, when compromised, affected millions and could not easily be fixed. That is a nightmare scenario for fashion – and one that all but the biggest brands would struggle to recover from.

Play it Safe

When it comes to understanding cybersecurity in a connected, data-driven world, we must remember that for every smart company putting up safeguards, there is an equally smart person breaking them down.  And like all genuinely world-changing technologies, the businesses looking to leverage IoT, AI, and other technologies should take the time to audit the precious data they have been entrusted with (or generated themselves) and consider how many new possibilities they might be opening up for that data to be compromised.

Because while the these are unquestionably world-changing, industry-altering technologies that brands and retailers can turn into a competitive edge – standing out from the crowd doesn’t have to mean making yourself an easy target.

So whether you feel ready to make a statement on cybersecurity or not, it’s probably time to have that conversation.