Information security is going to face a new economic order: the state of information security, compliance and governance is at an inflection point. Now that its strategic significance has been recognized more than ever before within retail companies and budgets for addressing information security appearing to have stabilized, it is ready for a move to the next part of the curve: addressing growing risks of cyber security and meeting the challenges of new opportunities - such as cloud, social networking and mobility.
Funding is however on a lower curve than many IT security executives deem sufficient to meet existing and emerging security threats and regulatory requirements and to reap the benefits and challenges of new IT infrastructures, whilst managing the risks. Awareness of appropriate security policies and best practices is unfortunately poor. Where policies and strategies are in place, the gap between good intentions and operational execution and implementation, is frequently low. Many retail companies appear to lack basic monitoring of security events, their frequency, nature or source. Workforces that initially and by stealth, brought their own mobile devices into the organization's IT infrastructure and who used social networking, mixing corporate and social information unchallenged, are in many cases still unhampered by restrictions. Moreover, the development of multichannel retail strategies and the proliferation of guest wireless access in the store is adding potential security breaches.
IDC's Security Survey, recently carried out in six countries (Australia, China, India, Malaysia, New Zealand, and Singapore) among 201 companies with more than 100 employees across industries , indicates that APeJ retailers are:
- Increasing information security budgets during 2011, focusing new investments mostly on data protection, firewalls, and antivirus
- Unveiling intentions to implement cloud based security solutions during the course of this year. On the downside, when it comes to implement a security solution on the cloud, retail companies are worried about data protection and compliance, vendors' liability in case of troubles, and identity and identification problems.
- Not knowing – on the most - either how many security events have occurred in the past 12 months, or the nature of those events, for example whether those events are through applications, devices such as removable storage, smartphones, networks. Nor do they know the probable source of the breach, for example employees, suppliers, customers or hackers.
- Half of the retail companies surveyed in the region is neither audited nor certified to be PCI compliant.
- The retail sector is one of the most reactive towards the necessity to adopt mobile security tools and to address these new security issues in the Asia Pacific region.
Sign up for CIO Asia eNewsletters.