The retail sector is transforming at a significant pace and there is a high adoptability to digital, if consumer digital uptake is any indication, writes Sanjay Vaid, director: cyber security and risk: Africa at Wipro.
As per IDC’s FutureScape: Worldwide Retail 2017 Predictions report issued in November last year, by 2019 digital transformation investments will triple, drawing funds away from store capital and profoundly changing the retail industry. There is high value capture for retailer and high value creation for consumer but like all high valuables this too need to be protected.
Retailers have been a target of cyber criminals for many years, given their access to vast volumes of customer data, such as banking and credit information and even personal information like identity numbers, addresses, and telephone numbers. This data offers a world of possibility for cyber criminals, from identity theft to fraudulent buying, to corporate espionage
With retailers no longer confined to physical spaces but launching online customer interaction platforms and eCommerce stores, data is not stored in systems accessible only by company employees anymore.
Sensitive data traverses the Internet between customers, retailers, banks and other third-party enablers every second – rapidly increasing the opportunities cyber criminals have to hack systems and obtain valuable information. This has driven the need for retailers to focus more on securing their communication channels and access control.

The threat
Traditional IT systems were designed more with operational requirements than with security in mind and, often, security was only added to systems and data storage as an afterthought. As the value chain ecosystem evolves and companies and customers become digitised, security measures such as identity management, Public Key Infrastructure (PKI), advanced threat protection (ATP), encryption and SIEM (Security Incident and Event Management) are becoming ever more necessary.
Today’s cybercriminal has multiple “doors” it can attempt accessing. Many retail mobile applications (apps) are interoperable with other apps, which can enable access and information sharing across these apps and hence access to different databases. If one of these is breached, the cybercriminal can potentially access information from another untrusted app on the mobile and access both financial and personal database which are required to conduct a cyber-crime.
Many cyber criminals are hiding their malware embedded in pictures on emails or social media platforms, which often remain undetected as firewalls may not filter them. Also, there is a case of untrusted legacy hardware or software having malware giving access to cyber criminals.
Once a cybercriminal has access to an application or untrusted hardware or software in the system, it can sit quietly and undetected in the application/hardware/software, gathering information passed into or out of the application or network, such as passwords, and even accessing retailers’ transactional database servers. The criminal can then strike, using the gathered information to commit the likes of identity theft or fraud on a grand scale.
This can also lead to the breach in personal privacy policy compliance as the personal information about the citizen can be accessed and misused.

The security needs
There needs to be a prime directive among retailers to focus on having a 360-degree view of their security, and not just looking at the individual, traditional security measures. They need to be aware that the risk of breach sits where there is a touchpoint to the Internet, be it through a customer, employee or even a supplier. Mobile applications, content, social media platforms, cloud services, untrusted software or hardware and more are all potential entry points for a cyber-criminal.
Retailers should look at all facets of security, including content security, perimeter security, advanced threat protection, identity and access management – which also include biometrics and access policies, SIEM, and Internet of Things security.
In essence, they should have an analytics dashboard which will enable them to see how the security landscape is functioning at any given time. An automated system which will provide an alert for any security incident, deviation from policy or procedures, controlling who accesses what, when, how and for what purpose. This will, in turn, lead to incident response and enable remediation.
The report generated can provide descriptive, predictive and prescriptive analysis which can track trends which can help to pinpoint vulnerability in the organization’s security posture.

International risk
From a different, yet no less important, side, retailers should also consider the security requirements for international trading. Each country is at the different cycle of security maturity level, and retailers doing business across borders need to be aware of the limitations, risks and security requirements of transacting in and out of another country.
Compliance requirements for transaction vary from country to country, and data security, governance, intellectual property and privacy policy can vary from country to country. There can be a high deviation between the framework and implementation of cyber law and policy between countries.
The countries at the beginning of the adoption curve of security regulations could put retailers from more mature security regulation countries at risk related to compliance, reputation and security breach.

The future of security
When we talk about the future of security, we need to understand that the future is now. There are many security developments happening on a global scale that is being put into effect even as you read this. South Africa is on par with the rest of the world, and we are already dabbling in artificial Iintelligence tools which deal with prescriptive analytics and behaviour analytics.
As per IDC forecast, artificial intelligence will change how 25% of merchants, marketers, planners, and operators work, improving productivity by 30% and KPIs by 10% to 20%.
AI systems can analyse behaviour patterns of how users log into systems and raise the alarm if a deviation is found. For example, it fingerprints behaviour over time so if an employee who typically accesses a particular area of the network suddenly accesses areas of the network he or she does not usually access or the way the password is typed, it raises a security incident alert.
Similarly, GPS technology can be used by an AI system to detect if a login happens simultaneously from two different locations for same user- a sure sign of a breach or illegal access.
AI can also be tied into the fast-growing world of the IoT. IoT-enabled consumer electronics are entering the home, and personal information such as banking details are being stored within these devices, enabling automatic transacting. On the operation side IoT has a big role as per IDC by 2019, robotics and IoT technologies will increase in-store, in-warehouse, and in-distribution centre productivity by 1,5-times for early adopting retailers and by 3x for later adopters.
This convergence of retail, banking, consumer electronics along with big role of IoT and AI all need to be looked at holistically from a security perspective, ensuring that data – and the businesses accessing that data – is protected at all costs.
We are in for exciting times in Retail with digital bringing newer opportunity & platform for business; security will ensure availability, integrity, and confidentiality on these platforms and help uphold the brands image.