Retail market of India is worth a billion dollar today, it also forges the market as top five retail market in the world. Unlike other industries, this sector is also savoring the digital transformation. But every investment comes with a cost, not pecuniary but security. Today, Indian retail market is in the highest degree of being prone to security risks. To be on the ball of the current security landscape and latest cyberattacks which tremored the Indian retail industry, BIS Infotech had an opportunity to interview Surendra Singh, Country Director, Forcepoint, wherein he extended a learning curve for the retail players and also imparted on the current scenario of security in the Indian retail market. Perhaps! it’s just a gist, lot more unearths during the extensive exchange. Edited Excerpts.
- How prone is the retail sector today to cyberattack and what measures should businesses take to shield these vulnerable activities?11
The Retail Industry in India is growing at a rapid pace. Estimates suggest that India’s retail market is expected to nearly double to US $1 trillion by 2020 from US$600 billion in 2015. The share of modern retail is growing versus the unorganisedretail and it is expected to double in three years times propelled by omni-channel retail. The robust investment in the retail sector, is driven by urbanization, income growth and attitudinal shifts. Additionally, India has a vibrant e-commerce marketplace driven by rapid increase in Internet users.
Retail companies are employing multi-level strategies both online and offline to attract customers to retain them and increase sales. Retail companies run loyalty programs to draw customers to their stores. They store Personal Identifiable Information (PII) like names,mobile phone numbers, addresses, credit card/ debit card information of hundreds and thousands of customers making them vulnerable to cyberattacks.
There is increase in number of cyberattacks on retail companies in the past year or so. In India, Zomato is the latest incidence of online restaurant rating and food delivery company losing 17 million records of its customers and available on the dark web for cheap money. Globally, in the US, big retailer Target lost credit card details of 40 million customers in 2013, badly damaging its reputation and it is still spending millions of dollars in settling law suits and claims. So, retail companies are under attack from hackers as they provide great opportunity to benefit from customers’ database and financial information like credit card/ debit card details.
However, the threat is not just external but rising from inside as well. There is growing competition betweenretail companies to retain and grow their market share, giving rise to insider threat. Employees voluntary or involuntary may give away critical business data causing great disruption to companies’ business operations and future growth.
Customers trust retail companies to protect their personal and financial data and retail companies also need to strongly protect their critical business data. Retail companies should look at security measures that help them to protect from outside as well inside threat. These include:
- Identifying and fixing broken business processes that cause data theft
- Securingcritical business data by deploying powerful DLP solution
- Protecting from Insider Threats by deploying insider threat solution that help in in flagging risky behavior from employees preceding a data breach
Additionally, retailers must prepare for security protection for new technologies such as mobile and payment technologies.
- What are the growing forms of attacks faced by the retail sector?
Gaps in security are now becoming a critical issue. Retail companies are becoming popular targets as most process large volumes of personal information, including credit card and debit card data, in highly distributed environments with many endpoints and point-of-service devices. The increase in digital payment methods opens up the doors for a new wave of attacks. Less-rigorous security implementations of payment gateways leave them vulnerable.
PwC’s annual Global State of Information Security Survey 2017 found that organisations in the retail and consumer sector suffered on average over 4,000 security incidents over the preceding 12 months. 16% of organisations surveyed suffered losses of over $1 million as a result of these incidents.The biggest security issue facing retailers is protecting the transaction information of their online customers as personal and credit card data are high value targets for cyber criminals. Cybercriminals are increasingly breaking into customer records and taking highly sensitive credit card details and other personal information on customers.
3. What security strategies shall a retail business opt to keep itself secure amid the growing sophisticated attacks?
Retail companies seeking to protect their customers’ data and its reputation should have comprehensive approach that includes not only network security but are focused on protecting its critical business data from outside as well insider threat:
IT governance program: Creating an IT governance program that integrates people, processes andtechnology is important to drive business innovation while mitigating risk and reducing operational costs.
- Awareness and training: Ensuring employees understand how to handle sensitive data and can identify common social engineering schemes that target employees, such as phishing scams, are an important part of any data security strategy.
- Combining data loss prevention tools with behaviour analysis;Data loss prevention technology is used by companies to prevent data from leaving a private network and getting out into the public sphere. Recent advancements in technology now draw on behavioural analytics to separate risky employee behaviour from the noise of innocuous activities. Is an employee connecting to an unauthorised server after hours? Are they transferring large volumes of information to a USB? Technology can bring these issues to the attention of those in charge.
- Reduction of fall-out:With cyber-incidents on the rise in India, reduction of fall-out from a breach can often be as important as any prevention strategy. Having the right policies and escalation procedures in place can help contain the threat and control the overall damage.
As retailers take advantage of mobile, cloud, social and other technical trends to drive market share of the digital wallet and connect with customers, there are several factors which come into play. Enterprises need to innovate quickly, decrease IT complexity and provide digital privacy that the customers expect.
4. What are the kind of attacks Hackers use to target the retail sector?
In this digital age, the retailers most valuable and vulnerable asset is their customersinformation and companies’ critical business data. Some of the attacks that hackers use to target the retail sector include theft induced by malware attacks, exploiting existing vulnerabilities in IT systems, data stealing malware attacks and social engineering attacks like Phishing and Insider threats.
- Primarily DDoS attacks have given present trauma to the sector. What suggestions do you extend to keep themselves ahead of these attacks?
It is important for organisations to recognize that they can be a target of DDoS attack and they need to putstrategies that can help them mitigate the effects of even the most vicious DDoS attacks. It can be done by creating an incident response planning which includes DDoS mitigation plan and having threat intelligence readily available to look for potential indicators of compromise. Cert-in, threat intelligence service providers and peers are good source of knowing about such threats and attacks.
If retail companies start feeling the effects of a DDoS attack, they should check with their ISP provider to see if they can help detect DDoS attack and re-route the traffic in the event of an attack. A right ISP service provider may provide DDoS protective services as well. Lastly, consider having a back-up ISP in the event of an attack to keep the business running.
- The malicious attacks are mostly from unknown geographies from the globe. How acute is Indian retail industry with the growth of Internet and mobility-driven payment technologies.
The digital payments landscape in India has witnessed unprecedented growth largely driven by increased smartphone penetration and the rollout of 3G and 4G services at extremely affordable prices.However, the Indian retail industry is not doing enough to protect their businesses from cyber-attacks. Businesses are not prepared enough to counter any potential risks with huge increase in digital transactions. The government is looking to increase cyber security in the country to protect people and organisations from cyber terrorism.
- How does your company work along with your retail clients to keep them up-to-date with the security infrastructure for their businesses?
Forcepoint’s technology protects retail companies’ employees as well as critical business data and IP anywhere, including from advanced threats such as ransomware and phishing attacks.Forcepoint’s businesses – Cloud Security, Network Security and Data & Insider Threat Security help companies to provide open, unobstructed access to critical data and intellectual property everywhere, while reducing risk.
- What lucrative business models do you offer to your customers?
Forcepoint’sapproachto security is human-centric than threat-centric. Today, people are not just dealing with emails but range of other things including computing devices, cloud based business applications as well as third party apps. This increases the scope of vulnerabilities and threat landscape for organisations led by their employees or users.
We understand that humans are at the centre of any breach; they are the point of contact between data and device. Our approach called the human point looks into an intersection of employee behavior, their intent and critical business data in organisations. If an employee’s behavior changes, from good to malicious, we detect the change immediately and flag it off. Our aim is to enable good employee to their full potential and restrict any rogue intent. Therefore, all our product portfolio range i.e. Cloud, DLP, Network security and cross domain security aims to protect IP, eliminate security blind spots by understanding people’s behaviors and Intent.