I was reading an article dated Oct 9^th, 2018 stating that Apple contracted police across the US to deter thefts at their retail stores. In California alone, the reported loss was around $1 million, with thieves dashing in & out of stores in a few minutes, stealing demo items. I was a bit intrigued with this modus operandi in today’s digital technology world.

According to HBR, retail industry is one of top 5 industries to be most affected by digital transformation. The usual suspects IoT, AI and analytics are being implemented at large scale across the biggest retail players with Amazon leading the way and forcing major retailers to follow the footsteps.

While digital transformation has a tremendous positive impact, it has also opened several vulnerabilities in security and privacy. Retail’s leverage of digital technology will result in the exposure of a large amount of customer data. The breach at Target in 2013 was an eye opener. Point-of-sale (PoS) terminals were compromised for more than two weeks. 40 million card details and 70 million records of personal information swiped—part of which was “backlist,” historical transaction information dating back to more or less  decade ago.

Card unions paid over $200 million in cost for card reissues. They then filed a class-action lawsuit against Target to regain this cost. While this was not enough, in May 2014, hackers used credentials of 3 corporate employees of eBay, and got access to names, addresses, dates of birth and encrypted passwords of all its 145 million users. What’s worse was that the hackers had this inside access for 229 days, before it was detected.

Similarly, TJ Max, Hudson Bay (parent company of Saks Fifth Avenue and Lord & Taylor), Under Armour, Panera have all reported major breaches. When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of ‘if’ the data will be hacked, it's a matter of ‘when’.

When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of ‘if’ the data will be hacked, it's a matter of ‘when’.

Here are some interesting observations made by Verizon Data Breach Integrity Report:

1. Retail and accommodations industries combined ranked no. 2 in breaches, representing 15% of the 1,935 breaches.
2. Top 3 motivations for the breaches (i) 96% financial (ii) 2% espionage (iii) 2% curiosity.
3. Denial of Service, Web Application Attacks and Payment Card Skimming represent 81% of all security incidents within a retail company.

While Retail ranks 4^th in digital disruption, it ranks at 3^rdin the list for security breaches. Is it because the Retail industry is not best prepared for the digital/online world? Here are three primary concerns around digital disruption in retail industry:

1. Data Privacy - The red flag raised is due to concerns of data storage, access, and authority. Data breaches are unpredictable, and companies won’t know about it, until it’s too late. What’s more worrying is that breaches lead to loss of customer trust and rebuilding the same is difficult.
2. Security standards - While IoT is a popular technology with increasing adoption rates, the biggest concern is the lack of standardization when it comes to ensuring security. IoT has two major security loopholes.
   • The sensors: Initially because of the attractiveness and the cost benefits of sensors, they were sold in huge quantities. However, enough care has not been taken in incubating security measures into the hardware. This has rendered all companies using IoT solutions susceptible to cyber-attacks.
   • The network: Given the rush in manufacturing IoT devices and sensors, network security integration and infrastructure is lagging. As a result, data stored and transmitted in IoT device networks are still not secure. The challenge of establishing standardized network protocols is also having a significant impact on full-fledged implementation of digital tech.
3. Layered complexity - Most retailers already have an existing IT infrastructure. These systems are also not the most reliable and have bugs of their own. Bringing IoT and cognitive intelligence into the picture adds another layer of complexity to security. This creates multiple interactions with customer data increasing the entry points for threats like malware. Digitization also impacts peripheral devices like applications in mobiles or websites that are connected to the data. This inter-webbing of traditional IT systems with digital technology creates a very complex, hard to monitor system to secure.

What measures should be taken?

1. Keeping customers informed

   Customers should have a say in what information they are willing to share with companies, and how their privacy is being protected through right governance. They should also have the power to decide parameters such as usage, conditions, locations with respect to data that’s being collected. These steps will ensure customer trust is fortified.

2. Getting cybersecurity protocols in place

   An end-to-end solution that involves protecting all data points is the closest you can get to a fully secure system. A system consisting of threat detection, identity access, and data encryption will help plug many of the holes that exist in the infrastructure. Given the omnichannel enablement that IoT provides through mobility and other applications, it puts even more impetus on having the right cybersecurity protocols in place.

3. Careful implementation

   Most problems in security stem from an accelerated digital transformation without understanding how the system can be circumvented. The scale and speed of the undertaking will decide how secure the system will be.

4. Compliance

   Retail industry has an unfortunate reputation of adopting a “checkbox compliance” approach to the Payment Card Industry Data Security Standard (PCI-DSS). This standard is critical, as it mandates how to store and transmit credit card data after accepting and processing it. Similarly, compliance with the Sarbanes-Oxley Act (SOX) is vital for publicly traded retail companies and Health Insurance Portability and Accountability Act (HIPAA) is a must for Retail pharmacies.

This is where taking an engineering perspective to integrating IoT and analytics in the store will help minimize the possible risks. Having an engineering design-oriented mindset will help in understanding how each technology piece fits with each retail one giving a more structured picture of how your digital transformation will take shape.

References:

1. https://hbr.org/2016/03/the-industries-that-are-being-disrupted-the-most-by-digital
2. https://tech.co/retail-data-breaches-50%-retailers-last-year-2018-07
3. /blogs/ghrao/security-challenge-posed-internet-things-part-1#