VMware EMEA’s Ian Jansen van Rensburg discusses the issues around security in the retail sector.

The retail industry is intrinsically linked to the wider economy’s performance. It’s an industry that relies on constant innovation, as retailers battle to lure increasingly savvy shoppers. But it’s an industry at a perilous crossroads.

From Nike and Adidas’ hyper-personalisation to create coveted but affordable trainers, realignment to introduce lifestyle elements into stores and the growing use of VR by the likes of Ikea to enable us to roam around virtual stores, it has to continually launch new services to drive consuming spending.

All these innovations are delivered by incredibly smart applications that are built upon the clever use of data. But data isn’t, of course, just prized by retailers themselves – it’s a lucrative target for cybercriminals. The inability of retailers to protect their most sensitive data threatens to derail the continual innovation we’re seeing right across the sector. So how can we ensure that either overbearing or ineffective security doesn’t hold retailers back?


Trust from demanding consumers is paramount

Driving this constantly shifting landscape are fickle consumers with incredibly high expectations, who will go elsewhere if retailers don’t deliver. And these retailers – frequently working on wafer-thin margins, let’s not forget – have to push the boundaries or get left behind. That’s a costly mistake to make; being just second to market with a new offer or proposition in this industry can cost a retailer thousands in lost custom each month.

But pushing boundaries comes with risk. Often retailers would develop their infrastructure to launch new products and experiences too quickly, thinking about whether the data was safe afterwards. Time-to-market trumped security – this can no longer be the case.

On the flip side, many others are either being held back by concerns around keeping their customers’ data safe, or are still playing a game of ‘Whack-a-mole’ when new threats appear.

This risk has to be mitigated –  retailers handle some of our most sensitive data, including personal and payment information. We won’t give that up that if a retailer can’t guarantee security throughout the buying process or show any signs that data is not being guarded – especially if they get caught unable to handle any data breaches.

So, while every CISO of a large organisation knows that cybercriminals are already present on their network, saying ‘there’s no way I can prevent penetration’ just isn’t good enough. After all, a threat is always around the corner. IT decision makers say they expect to be hit with a security breach within the next 90 days.  According to Mandiant’s latest report, once a breach is inside an organisation, it takes an average of 99 days to be discovered. Retailers can’t afford that; they need to be in a position where, if a breach looks likely, they can spot it, isolate it, quarantine it and control it. The quicker a retailer can do that, the less chance their customers’ data will be stolen and the more trust they’ll get – and a reputation intact.


Security has to run through everything

When new applications and devices mean the attack surface is getting larger every day, when data is more valuable than ever and when the risks of compromise can be catastrophic, security has to be baked in from the start. Yes, innovations are cool, but will we go back to a shop where the assistants are using tablets if hackers are able to use iBeacons to access our sensitive data? From conception through to development through to rollout, at every stage the protection of data, applications and reputation has to be paramount.

It starts around the development of the app. Apps are launched, changed, and decommissioned rapidly. By the time a security team learns of the existence of a new app, it has often already altered. Retailers have to ensure there’s a common source of truth between application teams and the security teams, streamlining the security review and readiness process.

And security needs to continue through the maintenance of the app. Protecting for the future means changing the way we think. In a world where new ‘zero-day’ threats – previously unknown malware – are appearing constantly (1.3 million new instances every day, according to RSA), monitoring a whole infrastructure all the time for known malware or breaches seems fruitless.

Retailers must focus instead on what things should look and behave like – the known ‘good’ – rather than try to keep up with the bad guys and attempt to detect the ‘bad’ – surely close to pointless in a world of more than a million new and unknown threats every day. A security model which concentrates on known appropriate behaviour greatly improves the ability to find real threats by flagging deviations from the known good.

Having contextual intelligence on what ‘good’ looks like means no guesswork when it comes to changes, with a full understanding of what changes across the whole estate are legitimate – and which are possible threats. Innovation can continue through this approach, with the business safe in the knowledge that there is a ‘security-everywhere’ strategy protecting customer data at all times.

Ultimately, in an industry where loyalty is rapidly eroding, innovation is crucial. But innovation means both harnessing and protecting customer data. When retailers know they can innovate without fear, they’ll be on a secure path to success in an insecure market.