Keeping data safe during online transactions

With growing digitisation and greater privacy laws on the horizon, data protection is going to be more important than ever for e-commerce businesses. Muneerah Bee finds out how retailers can stay ahead of cyber attackers.

E-commerce retailers receive a lot of personal information from online shoppers including their name, address, email/mobile number, credit numbers and so on. Shoppers also inevitably provide information on their shopping preferences when they browse e-commerce sites and all these data, if unprotected, could be susceptible to hacks and the information be used for crimes such as spams, credit card theft, or even identity fraud.

Besides the massive data sprawl that sees their critical data spread across cloud networks and private devices, the average retail operation is also filled with Internet of Things (IoT) devices such as smart point-of-sale (POS) systems, scanners or cameras, all of which present potentially expanded threat surface susceptible to cyberattacks.

Yet, the retail industry is not slowing down its adoption of technology as it looks to improve business efficiency, according to Alex Lim, senior director, South-east Asia & Channel Sales and Alliances, Asia-Pacific & Japan, Forcepoint. “The most fundamental challenge for cybersecurity experts rests in the ability to control data as it moves in and out of the organisation’s possession while employees seek to use it on demand, everywhere,” he said.

Employees are often an organisation’s biggest asset, Lim added, but the most underutilised resource too. The human risk from inside an organisation today is real and immediate, with major breaches that hit our headlines increasingly resulting from within the organisation.

“Protecting data effectively requires an organisation-wide change in mindset that is, moving from a threat-centric security approach to a human-centric one. The human-centric security approach focuses on user behaviour and intent, not just threats. It is cybersecurity that can be tailored to the unique identity and intent of an individual user by providing context for b activity and flagging abnormal behaviour. It is delivered by risk-adaptive protection solutions that integrate a broad spectrum of capabilities such as DLP (data loss prevention), UEBA (user and entity behaviour analytics), CASB (cloud access security broker) and NGFW (next generation firewall) and understands different channels of interaction with users, data and networks,” he explained.

Based on the latest Gemalto Breach Level Index, 112 breach incidents took place in the retail industry in the first half of last year, and across industries, Asia-Pacific is ranked the third in terms of the number of breach incidents. Additionally, 70% of the consumers would stop doing business with a company if it experienced a data breach, based on the Data Breaches and Customer Loyalty 2017 report and retail (61%) is the top sector where consumers would leave if they suffered a breach.

Alex Tay, Gemalto’s ASEAN Regional Director, Enterprise and Cybersecurity, commented: “E-commerce businesses are already under increasing pressure. First of all, they handle a huge
amount of data and they need to make sure both the data at-rest and the data in-transit are protected. This would require their system infrastructure to be resilient and robust. In addition, they need to ensure compliance with the requirements of the personal data laws when collecting and processing the users’ data. Increasingly, users also need to provide written consent for their data to be used for business purposes. This process is shifting to an ‘opt in’ model in recent years, instead of the traditional ‘opt out’ model.”

Regional concerns
E-commerce businesses need to understand the personal data protection regulations of different countries in Asia, in order to conduct and process cross-border e-commerce transactions, Tay cautioned. “For example, the Personal Data Protection Act (PDPA) in Singapore currently stipulates that businesses need to obtain consent for data collection and usage. However, the Personal Data Protection Commission (PDPC) is reviewing the laws, exploring options where seeking consent from consumers for the collection and use of personal data may not be practical,” he shared.

At the same time, the PDPC is proposing to introduce mandatory data breach notification to replace the voluntary one in place today. The time period for such a notification would be 72 hours after a breach is discovered.

Additionally, cross-border transactions are increasingly becoming common as people are buying from all over the world which means there is also a need to observe legal regulations in different countries/regions. For example, the General Data Protection Regulation (GDPR) will affect e-commerce businesses if their customers are from any of the EU states. E-commerce businesses need to ensure data are encrypted in the whole process, especially if they do not use a third-party payment vendor and choose to collect, process and store payment details by themselves, Tay advised.

As the capacity to collect, store and analyse data for commercial purposes continue to grow exponentially, GDPR and country-specific data protection laws seek to strengthen and unify personal data privacy and protection — putting people in control of their data and ensuring that businesses treat this data in a fair, transparent and secure manner.

It is no surprise that this seismic shift in the way data security is handled has caused a ripple effect across the globe, Forcepoint's Lim noted, with many countries following suit and modernising their own privacy and data protection laws. Recently, Australia saw the Notifiable Data Breaches scheme come into effect, which requires Australian businesses with a turnover of more than A$3 million (US$2.31 million) to publicly disclose eligible breaches.

He went on to highlight that in the Philippines, March 8 this year was the deadline of the Transitory Period (Phase II) for the Registration Requirement under the Philippine Data Privacy Act of 2012. The law is applicable to both public and private companies with at least 250 employees or that have access to the personal data of at least 1,000 people. Meanwhile, India is currently undergoing a public consultation around draft data privacy legislation, which is on track to come into effect by the end of the year.

“While many may be worried about the implications of a new regulatory era, in reality it will create trust and provide good practices that will benefit both the individuals and the business. These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost savings and even fuel innovation. With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimise the all too common reputational and financial fall-out of a breach,” Lim assured.

Securing data
In the retail environment, there are many points where employees interact with business-critical data, ranging from email to Web to third-party cloud applications and more. To mitigate this risk, Lim suggested a shift to an enduser approach to cybersecurity will serve retailers far better than broken cyberdefence models centred on “keeping bad stuff out”. In this zero-perimeter world, humans are the only constant across technology use and cyber threats, he added.

By focusing on the human points of interaction, cybersecurity professionals in the retail industry can develop a proactive cybersecurity system that focuses on understanding identity and intent of users. They can recognise the context of user and data activity, understand what is normal and is not. This human-centric approach brings visibility quickly to abnormal activity posing the highest risk and prioritises the security response.

Tay opined that retailers should understand that they need data-centric protection, which means they should adopt a robust and enterprise-ready encryption solution to secure their customer data. One of the key considerations is that the solution, recommended by the vendor, must be payment card industry data security standard (PCI DSS)-compliant. A comprehensive data-centric approach to security not only helps address near-term compliance objectives but also ensures the security of sensitive assets in the long term, he added.

Beyond cardholder data, retailers need to protect all sensitive data wherever it exists and limit access to this data, and this is where tokenisation helps, Tay continued. “It protects structured data at rest in databases and application, ensuring only authorised individuals are able to decrypt and view sensitive information. Another area will be to boost additional security for point-of-sale or point-of-interaction terminals and the payment application software,” he observed.

However, as an organisation, retailers need to shift their mindset for data security, in order to stay ahead of their attackers and become more effective in protecting their intellectual property, data, customer information, employees and their bottom lines against data breaches in the future.