Organisations operating in the retail sector are responsible for safeguarding huge amounts of customer data and ensuring a secure, smooth shopping experience for those who choose to use online services. The cost of a breach is huge, both financially and reputationally. Shailendra Singh, Chief Information Security Officer – Capillary Technologies, talks us through some of the main cyber-risks and how these can be addressed.
The retail sector is a prime target for hackers and cybercriminals, and why not?
Look at the sheer volume of data generated on a daily basis. Customers’ personal details along with their credit card numbers make a lucrative target.
However, the retail sector by design is not strongly focused on information and data security because their connection to ‘valuable data’ is not evident.
Information is usually and rightly viewed to be a domain involving software and digital interactions while retail has to do with physical products and offline stores.
This is changing rapidly with the advent of online retailing and digitisation of CRM, loyalty and business analytics solutions.
Retail giants started using software solutions a long time ago to improve their customer engagement efforts and to improve their sales and margins through advanced data analytics.
With the advent of cloud-based solutions for analytics, CRM, loyalty and e-commerce, the high volume of data and information which resided earlier in discrete form in individual stores started being collected and collated in centralised data repositories.
This permitted a greater degree of digital processing. Unfortunately, it was not always the case that the data was handled in a secure manner, mostly due to a general lack of understanding on how security should be implemented.
This problem of lax security has been resolved to a great extent when the software solution is provided by a software product company.
is of prime importance for such organisations. In cases where the software is
built in-house or outsourced to a vendor who is not specialised in providing
software solutions specifically meant for large enterprise clients, the problem
of security usually continues to persist.
Retail companies are becoming aware about the dangers involved in ignoring security as the impact of breaches have become more costly in the current market landscape where retail is driven by social media.
Protecting information and data is not only about protecting competitive information, but also about protecting brand image in the market. This has caused a significant shift in the security focus and expectations of retail organisations, whether it is towards in-house solutions or outsourced ones.
The retail industry has now become well-aware about information security certifications such as ISO 27001:2013 & PCI DSS, including the role that these certifications play in increasing assurance against security breaches.
Creating and promoting a security department within their organisations has become a common trend even in retail organisations where typically such practices were either viewed as unnecessary or excessive.
Another major factor that has resulted in more security due diligence exercises being conducted by retail organisations is that their parent organisation holds a wider portfolio of companies, some of which are closely connected to the domain of information security.
These parent organisations have a greater need for maintaining their brand image given their wider presence across multiple domains in the industry and hence they are more inclined towards conducting a thorough security due diligence on their vendor organisations.
Prioritising security alongside other business objectives is highly recommended even for those retail organisations that do not think that information and security matter to them.
Digitisation has touched every aspect of our world, which means that the potential for an embarrassing security breach exists for almost any and every type of organisation.
Retail organisations must consider obtaining information security certifications such as ISO 27001:2013 and PCI DSS if their software development and management is done in-house.
Alternately, if they outsource such activities or obtain a platform-based solution from an external vendor, then they must conduct a security due diligence exercise annually.
The risk of security breaches exists in every organisation and a vendor that is able to adequately provide assurance affirming that they consider security as an important business objective for themselves is the one that will usually be able to avoid such embarrassing and costly incidents.
Retail organisations should also consider including security metrics in their own business reviews. These could include numbers related to vulnerabilities discovered and resolved in the software applications that are being actively used, the number of incidents or events that surfaced in given duration.
It can also include whether an active bug bounty program has been implemented and if so, then how many bugs were reported and resolved within a given period. It should also review what the risk assessment of the data that is being saved, whether a detailed risk mitigation and business continuity plan exists and whether these plans have been tested.
Retail organisations should also consider including clauses and penalties related to data protection and data privacy in their vendor agreements. This ensures that a vendor becomes legally bound to provide adequate measures of security as part of their promised security deliverables.
The retail industry as a whole has been adopting most of the practices that appreciate security as an important business objective for them and it is quite likely that those who treat security seriously are the ones that will ultimately prevail in the market.
Security and privacy consciousness of the general population has been improving rapidly in the post EU GDPR world. This industry stands to upset the very audience it targets if security is not treated the way it should be.