Cybersecurity Mantras for Retail

A look at the approaches and measures retailers adopt to protect their data and systems

New Delhi: Data is the new oil of every industry, and its management and security are a prime concern. Cyber risk is the biggest threat Indian organisations face with 38% of respondents surveyed by accounting firm PricewaterhouseCoopers (PwC) feeling extremely exposed.

As a result, cybersecurity has jumped two spots from number three to number one on the risk radar compared to 2022 in the PwC’s 2023 global risk survey- India edition.

Retailers who handle an enormous pool of personal and financial data of customers, suppliers, vendors, and manufacturers and facilitate online payments are all extremely vulnerable to data breaches and cyber-attacks.

Minimising risks requires constant monitoring and regular investments in cutting-edge technologies.

Retailer’s approach

Retailers take several measures from access control to the management of crucial passwords and information to safeguard their data.

Pee Safe:  Pee Safe follows industry standards to protect user information. All information gathered on the site is securely stored on the Shopify server and on-premises small business server (“SBS”). “The database is stored on servers secured behind a firewall; access to the servers is password-protected and is strictly limited,” shared Vikas Bagaria, founder, Pee Safe, a personal hygiene company.

Companies like Vinculum Solutions, Klaviyo Inc., Paypal India, and Razorpay Software all help Pee Safe in this regard, Bagaria added.

Tata CLiQ: The company has implemented a strategy that includes encryption protocols for all data, both in transit and at rest, utilising industry-standard encryption methods. “We conduct regular security audits and maintain continuous monitoring to promptly identify and address potential vulnerabilities,” said Gopal Asthana, chief executive officer, of e-commerce company Tata CLiQ.

Asthana added that Tata CLiQ’s security infrastructure comprises robust firewalls, intrusion prevention systems (IPS), and a security operations centre (SOC) to prevent and detect unauthorised access and protect against various cyber threats.

Tata CLiQ conducts regular security assessments and risk evaluations to identify areas for improvement. Critical software and system patches are applied promptly and regularly to address known vulnerabilities, maintaining the resilience of the environment. Continuous monitoring of the threat landscape allows it to stay abreast of emerging threats and update the systems accordingly.

SAR Group: On the various measures used in enhancing security, Saurabh Gupta, Group chief information officer (CIO), SAR Group said, “Measures we use are in the areas of access control, encryption, security information and event management (SIEM), backup management and password management.”

SAR Group is in the business of making inverters and reverse osmosis water purifiers in the brand names Livguard, Livfast and Livpure.

In addition, it conducts regular updates. “Updating cybersecurity measures regularly is crucial in ensuring optimal safety against cyber threats. Changes are made as per defined timelines and the organization policies,” said Gupta.

E-commerce enablers like Gokwik that work with retail companies follow stringent processes to safeguard clients’ interests.

Vivek Bajpai, chief technology officer (CTO), GoKwik shared that the company has embraced a proactive stance by leveraging security tools provided by Amazon web services (AWS), Google, and Sophos that incorporate security features and advanced threat detection mechanisms. “Furthermore, our engagement in the CERT-IN (Indian Computer Emergency Response Team) audit process ensures that our systems are resilient against evolving cyber threats both today and in the future,” Bajpai shared.

Experts also add that identifying and addressing vulnerabilities and conducting regular vulnerability assessment and penetration testing (VAPT) through certified third-party vendors every quarter are other measures that help eliminate potential threats.

The AI Angle

Artificial Intelligence (AI) and Machine Learning (ML) have massive potential in fraud detection. Owing to this, over 48% of Indian enterprises surveyed by PwC are considering deploying emerging technology like Generative AI. Tata CLiQ already leverages AI and ML for fraud detection. The company shared that the implementation of AI-driven behavioural analytics has helped it identify anomalies in user behaviour, enhancing its ability to detect and prevent potential threats. The company adopts a zero-trust model, where trust is never assumed and verification is required from anyone attempting to access resources on the network, adding an extra layer of security to its systems.

SAR Group uses AI to detect threats, prevent them and respond to them. In addition, it uses cloud-native application protection platforms (CNAPP) and threat exposure management (TEM).

“We use a trusted gateway partner that uses secure encryption technology to keep customer transactional details confidential at all times,” added Bagaria of PeeSafe.

“Our AI algorithms contribute significantly to the detection and prevention of fraudulent activities, the automation capabilities of AI extend to certain response actions, enabling swift and precise responses to security incidents without the need for direct human intervention,” added Asthana of Tata CLiQ.

The cost factor

The update and usage of different measures in preventing breaches and theft require a consistent amount of investment in cutting-edge technologies. “We invest around Rs 4 lakh a month in ensuring cybersecurity,” shared Bagaria of PeeSafe.

The PwC survey also found that Indian organisations are ramping up investments in this regard. A considerable 55% of its respondents are planning to invest in cybersecurity tools and AI, whereas others are eyeing investments in the areas of ML and automation.

Around 70% of Indian organisations are gathering and analysing cybersecurity and IT data for risk management and opportunity identification. Globally 61% of the organisations are doing the same.

“Substantial investments have been made to strengthen cybersecurity measures, exemplified by the attainment of ISO 27001 certification—an international standard for information security management,” Gupta of the SAR Group said.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 by major credit card companies such as Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Administered by the Payment Card Industry Security Standards Council (PCI SSC), this set of security standards is designed to enhance the protection of credit and debit card transactions, reducing the risk of data theft and fraud.

Although the PCI SSC lacks legal authority to enforce compliance, adherence to these standards is mandatory for credit or debit card processing businesses. PCI certification is widely recognized as an effective means of securing sensitive data, fostering trust, and establishing enduring customer relationships.

E-commerce enablement platform GoKwik employs a multifaceted approach to ensuring security for e-retailers it works with.

“At its core, our platform adheres to the payment card industry data security standard (PCI DSS), which sets security benchmarks for companies involved in payment processing, ensuring a secure environment for sensitive card information,” said Vivek Bajpai, chief technology officer (CTO), GoKwik.

The ISO 27001 certification 

This applies to any organization seeking to formalize and enhance processes related to information security, privacy, and safeguarding information assets. It enables organizations to showcase alignment with a recognized framework in terms of people, processes, tools, and systems.