In the retail industry, one of the area most at risk is the eCommerce, where is not infrequent to hear about incidents of various kind creating huge losses in terms of both information and revenues for the banner hacked. In the Asia Pacific region, the Australian and New Zealand Lush websites have been targeted by hackers from October 2010 and January 2011. The breach in security resulted in a quite huge personal data loss that was probably caused by the Lush's use of a third-party payment gateway to process purchases with limited security.
Essential guidance for Retailers
IDC Retail Insights advises Asia Pacific retail companies to consider the following actions:
- Centre-stage for compliance must be a retailer's ICT infrastructure and, in particular, its networking capabilities. Implementing strong data encryption, protecting web services and establishing a secure network architecture are fundamental to the compliance process.
- A detailed knowledge of security events is known to have a significant impact on the direction taken by an organization in its procurement of security products. Frequently, the result will be fewer and more targeted purchases and a lower cost outlay.
- Many retailers in APeJ have little idea about their risks in terms of data, applications, users or external threats. This should be the lynchpin of any security strategy. Investments on risk management can then be prioritized, critical IT resources identified and from there, business continuity efforts can be suitably targeted. Included in the IT risk assessment should be an evaluation of the retail company's standing against compliance with regulations.
- Eearly action to establish PCI compliance will go a long way to mitigating the clear risk of financial loss and damage to the retailer's brand.
- Cloud providers are likely to be better at security than the IT organization will ever be owing to their ability to leverage their scale to keep up with latest technologies, to resource the best staff, and the scrutiny to which their procedures and policies are subjected by customers and regulatory authorities. However, when a cloud service provider certifies that it has been validated as PCI DSS compliant, this does not imply that the retail company is automatically compliant itself to the regulation. In fact, if a cloud provider state to be PCI compliant and it offers retailers with a PCI-ready platform (for example Amazon Web Services and Verizon), this implies that it has been validated only against specific PCI requirements, leaving the retailer still responsible for other aspects such as the daily review of the logs and the cardholder data environment.
- Subscribe a liability insurance (e-risk insurance, cyber insurance) to counter risk.
Sign up for CIO Asia eNewsletters.