Technology has changed the way retail businesses work from top to bottom. Mobile applications, social media platforms and online customer loyalty programmes have made it easier for retailers to reach customers and keep their brands at the top of consumers’ minds. The industry’s use of data analytics and cloud computing has also become more sophisticated, improving performance in operations as well as marketing. Behind the scenes, the Internet of Things, mobile networks, and big data have helped to revolutionise supply chains and logistics, helping small manufacturers reach new markets with greater reliability.
More channels, more attack surfaces
However, a greater number of tools and channels also means a wider range of attack surfaces. The retail sector’s digital transformation could leave retailers and customers more vulnerable to hacks: according to Symantec’s Internet Security Report, retail was the industry with the third highest number of identity theft victims. Hackers can find potential entry points in consumers’ mobile phones and computers, vendors’ systems or point-of-sale systems in-store.
In addition to stealing customer data, hackers are also targeting vulnerable retailers with Distributed Denial of Service attacks (DDoS), where online services are taken offline by overwhelming traffic from multiple sources; defacement attacks; publishing trade secrets and internal information; and other hostile tactics.
Here in Singapore, criminals recently used WannaCry ransomware to breach shopping malls and stores including Desigual at Orchard Central; Tiong Bahru Plaza and White Sands Mall. K Box fell victim to hackers who exposed customer mobile numbers, ID numbers, and addresses in what the hackers called a protest of the government’s decision to raise toll charges at the Causeway.
The high-profile K Box case aside, hackers are generally financially-motivated and hacking tools are readily available online, lowering barriers to entry. For example, would-be criminals can rent access to botnets or tools that automate attacks; in other words, you don’t need sophisticated technical skills to mount an assault. PwC’s Global State of Information Security Survey 2017 found that over a period of 12 months, organisations in the retail and consumer sector suffered on average more than 4,000 security incidents and, as a result, about one in six organisations incurred losses of over US$1 million.
Several years ago, it may have been enough to implement a firewall and strict access controls. But as mobile applications and the Internet of Things become more prominent in the retail industry, more must be done to build up a robust cybersecurity ecosystem.
Retailers still focusing IT resources on performance need to shift their attention to cybersecurity. Solutions for retail will need to be tailored to accommodate retailers’ unique characteristics, such as high staff turnover, large transaction volumes, and distributed operations.
The term “you are only as strong as your weakest link” applies well here. With staff spread across various locations, it is important that a culture of “security-first” is instilled in every employee. Creating an IT governance policy is one way to inform stakeholders – including vendors and customers – of processes and broad principles for information security. If not already done, senior executives need to be involved in cybersecurity and it should be considered a business risk management issue among C-suite decision-makers.
Regulatory approaches to cybersecurity
Many Asian regulators are developing their own approaches to cybersecurity. The scope of cybersecurity law varies from Singapore’s light-touch framework, which imposes obligations for Critical Information Infrastructures (CIIs), to more stringent approaches like Vietnam’s draft cybersecurity law that will require all Vietnamese user data be stored locally.
While each of these frameworks may work well for the individual countries, the many different approaches in the region make it even harder for retailers to establish a cohesive approach, or collaborate, across countries. Developing a solution that complies with all the requirements will need an ongoing conversation with regulators aimed at harmonising their regulatory postures. Without this coordination, it will be far harder for startup retailers to grow across the region’s markets, stifling growth and hurting consumer choice.
Considering these developments, Access Partnership and JurisAsia gathered tech compliance, public policy, and legal and intellectual property experts in the retail and consumer industries for a panel discussion with officials from the Singapore Cyber Security Agency and Lazada Group. The discussion delved into the importance of bringing in C-suite executives to make tough cybersecurity decisions that involve tradeoffs, as well as the need to take a collaborative approach towards cybersecurity; from minimising human factors through employee education to improving regional defences through confidence building measures.
Consumers today demand accountability and trusted environments to foster a long-term brand-consumer relationship. A comprehensive cybersecurity plan will therefore add value to a retailer’s business. Beyond technical measures, cybersecurity plans should include compliance, engagement with industry groups like information sharing and analysis centres, government relations in key markets, and collaboration with technology, payments and related industries.
Only with close collaboration between governments and industries, both to inform policies and take action in concert, can citizens be protected from threats by malicious actors.
- Ryan Johnson, Senior Manager at Access Partnership
- Sheena Jacob, Director at JurisAsia LLC.
This article was published in The Business Times on May 25, 2018. Source: https://www.businesstimes.com.sg/opinion/fortifying-retail-operations-as-cyberthreats-intensify