Multiple touch-points increase the risk of digital theft
The best way to respond to digital theft is not to have one
DIGITAL has redefined the shopping experience. Retailers are innovating as well as improving their operations in order to succeed in their digital journey. Newer technology is being implemented and legacy systems are being updated to accommodate the latest functionalities.
But digital technology has also brought with it the risk of digital theft. Retailers need to identify this risk early on and develop an approach to manage it better.
Retail has been one of the most targeted industries for digital theft, ranging from Point-of-Sale (POS) intrusions, payment card skimmers and several other data breaches, which are becoming more sophisticated with time.
This is because retailers need to:
Handle large amounts of sensitive customer data, including credit card details, profile, shopping history, and so forth, and maintain the data on distributed/ networked systems;
Share a lot of data with external vendors who are a part of the complex supply chain;
Make available a lot of data on employee-owned mobile devices; and
Work with increasingly diverse staff.
Multiple touch-points increase the risk of digital theft, which can have both financial and reputational impact.
In 2014, some prominent retailers were victims of 21st century digital theft, which left millions of consumers affected, reporting a total loss of more than US$1.5 billion.
According to Juniper Research, the cost of data breaches will hit US$2.1 trillion globally by 2019, almost four-fold of the estimated cost of breaches in 2015.
Furthermore, almost 40% of businesses in Asia have experienced significant economic loss resulting from data security breaches in 2014, according to The Economist Intelligence Unit.
The best way to respond to digital theft is not to have one. Given that prevention is key, retailers should do everything within their power to avert sophisticated hackers from breaking into the system.
With Asia Pacific’s retail market booming in view of the rise of the middle class, retailers can adhere to the following eight practices to discourage digital theft.
1) Know your vulnerabilities
Every organisation has actual and potential vulnerabilities. Some are obvious, some not so much. Although it is impossible to know all, retailers can better anticipate and manage them with continuous and collaborative vulnerability assessments to help measure the degree of exposure.
2) Validate, validate, validate
Never assume that something has been done or been fixed, always demand proof.
In the hacking case of an American department store chain, the testers assumed the wireless network was disabled but it was not, resulting in millions of customers’ credit cards being compromised.
Moral of the story: Make sure the status of everything on every network is confirmed and that includes computers and devices that are presumed non-operational or that were never turned off or formally decommissioned.
Far too often, hardware is not updated with the latest security measures because nobody believed the devices were part of the network. So validate assumptions and then do it again.
3) Know your partner network
There are POS terminals, suppliers, administrators, HR (human resource) managers and thousands of others hanging on your organisation’s network from the outside. Know who they are and what their security looks like all the time.
One such major attack occurred because a vendor had legitimate access to the retailer’s network for billing and invoicing. That company’s vulnerability ultimately became the retailer’s.
It is not sufficient to have a contract requiring partners to secure things on their end, it is crucial to also test partners’ security in addition to your own.
4) Always keep an eye on the back door
One of the most common network breaches occurs with default passwords or hardware configurations, frequently at the POS terminal.
To counter this, every single POS terminal must have its defaults removed. If they are rebooted or reset, the defaults may have to be removed again. The same applies to every wireless router and connection.
Furthermore, since attacks are happening higher up the chain, the entire supply chain has to be validated to prevent malware insertion. Insist that your vendors do the same.
5) Know your vendors
This includes not just your organisation’s hardware and software suppliers, but also your organisation’s lawyers and accountants, HR and recruiters, architects and engineers, consultants and third parties, cloud providers, business and technology service providers and consultants.
Any of them can introduce vulnerabilities into your network. So ensure that they are trained and that they agree to your policies and data procedures.
Next, work the way up their supply chains, since their vendors can introduce vulnerabilities into your network as well.
6) Prepare an IoT strategy
IDC predicts that this year will be the year when the Internet of Things (IoT) will move beyond the hype in Asia Pacific.
Once the IoT is fully realised, there will be exponentially more data exposure, vulnerable handlers and open doors by way of all the new connected devices.
A pre-emptive strategy is essential. Make these IP-aware (Internet Protocol) and addressable devices work for, instead of against, your organisation.
7) Learn to say ‘yes’
When confronted with new technology and its associated liability, too many companies are too quick to say ‘no.’ The lawyers, the regulators, the CIO (chief information officer) and IT directors all say ‘no’: No USB. No WiFi. No cloud. No IoT. No RFID (radio-frequency identification). No iPay.
That’s the wrong answer. Prohibiting useful technology will only encourage people to move to simpler, often less-secure workarounds.
So at least say ‘maybe.’ ‘Yes’ is better, then secure whatever is deemed useful instead of fearing it.
8) Make this a ‘chief executive’ concern
Preventing digital theft is not a security issue, nor is it a technology, legal or compliance issue. In fact, it is a company-wide concern, fundamental to the very core of retail.
Security is not something to just bolt on; it is integral to every single business decision.
Thus, security is a CEO (chief executive officer) and board of directors issue. It enables and empowers every aspect of the company.
With so much at stake, it deserves a seat at the big boy table – as well as a big boy budget and the ear of the CEO.
Sandy Gopalan is vice president of Consulting at Cognizant Technology Solutions.
Mitigating security threats on POS systems
Target: Learning from security breaches on POS systems
Tech Vision: The emerging world of bricks and clicks
ID thieves targeting SMBs, 2FA could be the solution
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.