Information security is going to face a new economic order: the state of information security, compliance and governance is at an inflection point. Now that its strategic significance has been recognized more than ever before within retail companies and budgets for addressing information security appearing to have stabilized, it is ready for a move to the next part of the curve: addressing growing risks of cyber security and meeting the challenges of new opportunities - such as cloud, social networking and mobility.

Funding is however on a lower curve than many IT security executives deem sufficient to meet existing and emerging security threats and regulatory requirements and to reap the benefits and challenges of new IT infrastructures, whilst managing the risks. Awareness of appropriate security policies and best practices is unfortunately poor. Where policies and strategies are in place, the gap between good intentions and operational execution and implementation, is frequently low. Many retail companies appear to lack basic monitoring of security events, their frequency, nature or source. Workforces that initially and by stealth, brought their own mobile devices into the organization's IT infrastructure and who used social networking, mixing corporate and social information unchallenged, are in many cases still unhampered by restrictions. Moreover, the development of multichannel retail strategies and the proliferation of guest wireless access in the store is adding potential security breaches.

IDC's Security Survey, recently carried out in six countries (Australia, China, India, Malaysia, New Zealand, and Singapore) among 201 companies with more than 100 employees across industries , indicates that APeJ retailers are:

  • Increasing information security budgets during 2011, focusing new investments mostly on data protection, firewalls, and antivirus
  • Unveiling intentions to implement cloud based security solutions during the course of this year. On the downside, when it comes to implement a security solution on the cloud, retail companies are worried about data protection and compliance, vendors' liability in case of troubles, and identity and identification problems.
  • Not knowing -- on the most - either how many security events have occurred in the past 12 months, or the nature of those events, for example whether those events are through applications, devices such as removable storage, smartphones, networks. Nor do they know the probable source of the breach, for example employees, suppliers, customers or hackers.
  • Half of the retail companies surveyed in the region is neither audited nor certified to be PCI compliant.
  • The retail sector is one of the most reactive towards the necessity to adopt mobile security tools and to address these new security issues in the Asia Pacific region.

In the retail industry, one of the area most at risk is the eCommerce, where is not infrequent to hear about incidents of various kind creating huge losses in terms of both information and revenues for the banner hacked. In the Asia Pacific region, the Australian and New Zealand Lush websites have been targeted by hackers from October 2010 and January 2011. The breach in security resulted in a quite huge personal data loss that was probably caused by the Lush's use of a third-party payment gateway to process purchases with limited security.

Essential guidance for Retailers

IDC Retail Insights advises Asia Pacific retail companies to consider the following actions:

  • Centre-stage for compliance must be a retailer's ICT infrastructure and, in particular, its networking capabilities. Implementing strong data encryption, protecting web services and establishing a secure network architecture are fundamental to the compliance process.
  • A detailed knowledge of security events is known to have a significant impact on the direction taken by an organization in its procurement of security products. Frequently, the result will be fewer and more targeted purchases and a lower cost outlay.
  • Many retailers in APeJ have little idea about their risks in terms of data, applications, users or external threats. This should be the lynchpin of any security strategy. Investments on risk management can then be prioritized, critical IT resources identified and from there, business continuity efforts can be suitably targeted. Included in the IT risk assessment should be an evaluation of the retail company's standing against compliance with regulations.
  • Early action to establish PCI compliance will go a long way to mitigating the clear risk of financial loss and damage to the retailer's brand.
  • Cloud providers are likely to be better at security than the IT organization will ever be owing to their ability to leverage their scale to keep up with latest technologies, to resource the best staff, and the scrutiny to which their procedures and policies are subjected by customers and regulatory authorities. However, when a cloud service provider certifies that it has been validated as PCI DSS compliant, this does not imply that the retail company is automatically compliant itself to the regulation. In fact, if a cloud provider state to be PCI compliant and it offers retailers with a PCI-ready platform (for example Amazon Web Services and Verizon), this implies that it has been validated only against specific PCI requirements, leaving the retailer still responsible for other aspects such as the daily review of the logs and the cardholder data environment.
  • Subscribe a liability insurance (e-risk insurance, cyber insurance) to counter risk.

Watch out for the full series of survey results and analysis in retail -- as well as other industries. During May, we are publishing a series of reports providing a detailed view of information security trends on an industry level, both for the EMEA and AP region. Any comment or question on retail-specific security issues and directions, please let me know ([email protected]).