Cyberattack is a prevailing concern in Indian retail sectors, experts decodes the fugitive behavior of hackers and embraces the online future
From a kirana shop to the entrant of big retail giants in India, the retail sector of India has been alive and kicking. Forbye, technology adoption in this sector has largely backed to cater its growing customers and evaluate new and efficient business models. Perhaps! Disruption is the term which can very well assimilate the India retail sector today. To understand the potential of this titanic industry, retail Industry in India constitutes over 10 per cent of the country’s GDP with around 8 per cent of employment and is valued at USD 672 billion at present.
The retail sector in India has been evident in building up new job opportunities, change lifestyle and share a handsome amount in the country’s GDP. By 2018, the Indian retail sector is likely to grow at a CAGR of 13 per cent to reach US$ 950 billion.
But that’s just a good music over a French wine of the Indian retail sector. There are multiple challenges today Indian retail sector is stumbling over, and the most acute is ‘Security’. E-commerce has changed the face of Indian retail sector in the past few years. As the acceptance towards technology increases, more and more consumers are willing to explore web based shopping alternatives. The growing trend of online shopping has introduced new forms of shopping experience to customers. Moreover, the latest decision of demonetization has been the cherry on the top citing the proliferation of online and digital form of business accelerating the online retail sector in India.
How Prone is Indian Retail Sector to Massive ‘Cyberattack’?
The recent numbers of cyberattacks in the retail sector is mind-boggling. Panning from content, to transactions, when it comes to malware every old is new again.
Extending concerns over the cyberattacks in the retail sector, Zeina Zakhour, Global CTO – Cyber Security, Atos, said, for the past couple of years, the retail sector has experienced large scale cyberattacks and breaches with a rise in the frequency & scale of such attacks and a rise in the financial losses. The retail sector will need to adopt a data centric security strategy built on a prevent/protect/detect/response approach concerned with the premises of identifying where the sensitive data is, who is using it and for what purpose, in order to define the necessary security controls.
Expressing in detail, Rana Gupta, VP – APAC Sales, Identity and Data Protection, Gemalto, said, as per recent industry reports, India’s retail market is expected to be at US $1 trillion by 2020 following urbanization, attitudinal shifts and income growth. This unprecedented growth has made retail sector a prospective target for the cyber criminals. As per Gemalto’s Breach Level Index, the sector globally has been a regular target with around 747 data breaches recorded in the last four years since 2013.
Also, given the rapidly changing digital retail landscape and sector being one of the biggest source of personal and financial information of its customers, it is really important for retailers to protect the customer data against ever-evolving sophisticated cyber criminals and insider threats.
From Security and Privacy perspective, Gemalto recommends retailers’ a three step Secure the Breach approach that takes into account, where your data resides, how you store and manage that data and who has access to it. The process includes:
- Data Encryption: As a first step, retailers should identify where their data resides and encrypt it. Whether your data is within physical networks, the cloud or in motion, data encryption will obscure and protect vital information even if it is stolen.
- Crypto Management: the second step leads to storing keys that can access the data, away from any encrypted data or in different locations, and then implement a process to limit access, rotate, revoke and reissue keys in a tamper resistance hardware.
- Authentication: Lastly, retailers should implement strong multi-factor authentication of users, and establish a verification process. Define user access levels and automate a way to provision, manage and report on user groups.
Attacks ‘Sophisticated’ Than Ever!
The growing IT network architectures in retail businesses and to sustain in the competitive market, retailers adopts new forms of technologies especially digital forms of business model is ‘Hot’. Almost today every retailer admits that they have become the victim of a security threat owing to which they have to increase the server security.
Chalking on the growing form of attacks, Rana Gupta feels, the use of online banking, payment wallets, and credit and debit cards for shopping has grown significantly. According to a recent ASSOCHAM report, the recent demonetisation leading to a reduction in cash transactions, along with improvement of online banking facilities, has been huge opportunities for the Indian online and offline retail sector. The report also indicates that in 2016, about 69 million consumers purchased online which is expected to cross 100 million by 2017. Going forward, these consumers will be using the above mentioned tools for the payment, which will further put the sector on the radar of cyber-criminals. So protecting financial data has never been more important.
While any industry is prone to the three categories of cyber-attacks – those being, Data Privacy Breaches, Data Integrity Breaches and Denial of Service Breaches – the retail sector has so far primarily witnessed the breaches in the categories of Data Privacy and Denial of Service, however it won’t take long for the breaches in the category of Data Integrity to catch up.
- Data Privacy Breaches – The retail sector has had many such incidents, the most recent being the Eddie Bauer – an American retailer that fell victim to such attack that infiltrated its in-store point of sale systems, allowing hackers to remotely access customer credit card information from the systems that handle payment card data. Another important thing to note here is that these kinds of organised crimes are motivated towards obtaining payment card or customer information. The stolen information can be used for forging the cards or for fraudulent transactions and customer information for identity theft.
- Denial of Service – Hackers worldwide have used the army of botnets to compromise the availability of networks and systems. With the kind of attack, the motives generally vary from hacktivism to ransom or organized crime to mask bigger hacking attempts.
- Data Integrity Breaches – In case of Data Integrity Breaches, the data is modified to incorrect values in order to drive the outcome of data analytics to incorrect results causing significant loss to stakeholders till it is too late.
Zeina Zakhour, precisely quotes ,
• Point of sales attacks has been the preferred form of cyberattacks targeting the retail sector, especially in the segments that have not yet adopted chip-based EMV payment card technologies.
- Advanced persistent threats, targeted attacks that operate in a stealth mode and remain undetected by traditional security solutions, are also used in order to access the end-customer data of the retailers. Such attacks are well prepared, and even target first subcontractors/suppliers to bounce back into their targeted victim (the retailers) – for instance, we have noted situations where HVAC maintenance Company was used as the entry point to target a retailer afterwards.
- DDos attacks have also been used as a way to disrupt business and generate revenue losses or even as extortion means.
- Ransomware attacks are a growing threat to all kind of organizations and the retail sector is also targeted by such organized cybercrime.
- Cyberattacks targeting IoT devices (for ransomware or to be used for denial-of-service (DDoS) attacks or simply to steal information generated and processed by these devices) have been rising exponentially as well.
Big Question? How To Be Safe!
Zeina Zakhour, expresses, retail industry is customer experience oriented industry, implementing new technologies in order to empower & customize personal experience. Therefore, their Cybersecurity strategy should enable & secure these new consumer-centric digital transformations through:
- Conducting a thorough security risk assessment focused on data privacy & security
- Building a comprehensive IT security strategy
- Educating employees about such security risks, precautions and measures
- Securing the extended enterprise (like payment channels, business partners, suppliers)
- Securing the POS
- Building an integrated & intelligence driven security management solution with SOC/CSIRT to detect & respond: when everyone is under attack, the speed of detect & mitigation will allow to thwart attacks quickly & efficiently
- Protecting the data (access control, encryption, monitoring and similar processes) and build privacy by design to secure personal data of end customers in order to comply with privacy regulations.
Rana Gupta, connotes, breaches will continue to happen — to expect otherwise would be not understanding the depth of the situation. But as their scale and complexity grows, focusing on them first, would take up all of an organization’s IT security bandwidth. A better starting point is to know what you are trying to protect and then apply the three step process to secure the data.
However, retail sector overall has taken significant steps to stop cyber-attacks, particularly at the point of sale as reflected in our 2016 Breach Level Index report. Retailers had 215 data breaches in 2016, down 10% from 239 the year before and accounting for 12% of the total globally. Additionally, the number of records stolen declined 18.8% to 32.5 million from 40.1 million in 2015.
DDoS, the True Security Infiltrator
Distributor denial of service tax or DDoS attacks are a real challenge for retailers, particularly during peak season, and the challenges are that the websites of an organisation might be taken down, or there is also physical disruption, for example shopping centres, lift systems may be disrupted impacting retailers and consumers.
In terms of what organisations can do about it, the first one is a technology point which is that just make sure you have the right processes and technology in place to mitigate the attack itself. You can also conduct effective threat intelligence to anticipate when an attack is likely to happen, and lastly the business have a role to play. Make sure that the business are ready to respond and know what their role is in responding to a DDoS attack.
Zeina Zakhour, implicates, DDoS attacks can vary in volume & type and organizations should implement a DDoS mitigation service that can protect from all of them. Protocol based attacks & application layer attacks, can be addressed by enhancing the infrastructure of the organization with adapted defense appliances.
However, voluminous DDoS attacks will require that the Companies subscribe to scrubbing centers services, which can filter legitimate traffic from the DDoS traffic and allow businesses to sustain large scale attacks. For example, the Dyn DDoS attack in 2016 reached over 1Tbps at its peak, thanks to a large scale IoT botnet. Organizations should review their strategies based on these new emerging threats.
Rana Gupta, asserts, DDoS attacks have reached new levels of sophistication, especially over the past year, and the retailers or enterprises which have fallen victim to such attacks experienced loss of consumer confidence and reputation damage. For these kinds of attack, traditional protection, such as firewalls and intrusion detection, is no longer enough. In fact, in some cases firewalls actually aid cyber criminals in their process by becoming the bottleneck that crashes the site. It is imperative for the retailers to implement strong authentication mechanism that varies as per the role and risk associated. Implementing a solution that allows PKI based authentication for administrative roles, Mobile based One Time Password authentication for (say) Vendors accessing its site, and hardware based One Time Password authentication for (say) its employees to allow for access to any IT assets shall go a long way in minimizing the DDoS attacks.
The Epicenter of Today’s ‘Cyberattacks’
With information growing exponentially in value and volume, cyber risks pose a serious threat to governments, businesses, economies and individuals. Major economies practice extensive cybersecurity regulations to shield their classified documents and fisc.
Curious to know on the origin of these malicious geographies, we asked Zeina Zakhour, on the geographies of these malicious attacks and its impact in the digital-front India retail sector, she said, the Indian retail industry is not immune to these attacks. The industry needs to seriously evaluate their security infrastructure and beef-up with modern monitoring and defense systems. Especially with the growth in digital channels (for customer service, payments and loyalty programs) the need for customer education will be highly critical. With the large workforce getting inducted into the retail sector gradually, they need to be made aware of such risks and safeguards that will have to be setup actively.
Whereas, Rana Gupta, rationalizes, most modern security attacks start with a very fast, but undetected breach, followed by an extended period of time where the hacker silently siphons off data. The growing use of the Internet of Things (IoT) and operating technology (OT) devices in the retail sector are increasingly becoming the biggest target of cyber criminals. In fact, recent breaches in the retail industry, including those of retailer Office and eBay, may have been greatly mitigated by the use of Point-to-Point Encryption. Yet, according to our research, only 24% of respondents are currently implementing P2PE solutions. These hackers are also customizing their attacks to the regions, type of industries and languages, and India is no exception to this.
It’s time retailers learn about the evolving tricks and trade of cyber criminals.
Zeina Zakhour takes the last words by citing that Atos work with retail clients on various security projects depending on their needs and current security posture. For customers who wants to update or build their security strategy, our security consulting teams are mobilized to run a security risk assessments and help our customers identify their vulnerabilities, the major threats to their business and to build a security action plan & roadmap. We also work with our customers in deploying the necessary security controls to protect them from cyber-attacks. We have deployed our own IAM solution (Bull Evidian) to protect POS and supply chains, deployed our own encryption product lines (Bull Trustway) to encrypt and protect consumer’s personal data. Bull is the Atos brand for technological products. Also, we have been working with customer to monitor 24/7 their infrastructure through our 14 Security Operation Centers (out of which 2 are in India) and to detect in real time abnormal behavior (from insider suspicious activities to intrusions and cyber-attacks) and immediately neutralize and contain such attacks.
Citing on Atos’ key solutions for the retail sector, Zeina added, security as a service model will be the best business model for the retail sector, as they will have access to security expertise & capabilities that they cannot grow in-house (due to cost reasons, but also security expertise shortage in the market).
By relying on a trusted security partner, retailers can focus on their core business. Such a business model is a Consumption based model, where the retailers have limited upfront investments and can extend the monitored perimeter or the scope of services on demand, depending on the changing threat landscape, the new security technologies and the new services they build & launch for their end customers.
Such a model also provides the retailers with cyber security expertise on demand in order to perform advanced forensics analytics, penetration testing or a security risk assessment when needed.
‘Safe Future’ of Indian Retail Sector
The growing online cult in India will bring the advent of lucrative and efficient business models. No matter be the nature of the retail business, upgradation of IT and security infrastructure will be key for Indian retailers to win the game and not hide the things inside the carpet to stumble down over their own feet in lone time.
Overall, security will inscribe the fate of retail business and strategy will win.