Retail 4.0: when sales are online, IT security becomes a priority
Domenico Raguseo Head of Digital Factory CyberSecurity Exprivia
The advent of digital technologies has influenced numerous sectors: the manufacturing industry, healthcare and financial services, to name a few. But there is also another sector that, without major announcements and declarations, has been completely revolutionised: distribution. As in manufacturing, where the term Industry 4.0 identifies the trend to use new technologies in industrial processes, the distribution sector uses the term Retail 4.0 for the process of adopting digital technologies.
The lockdown related to the COVID-19 emergency has confirmed and demonstrated how it is possible and easy to work from home, attend lessons from home and also buy and sell goods and services from home. The experience of e-commerce, of Retail 4.0, has now entered our daily life.
Retail 4.0 is the ultimate evolution of the idea of a store that seeks to personalise every service. If the concept of a store was initially inspired by the idea of selling any good in one location, today the objective is to customise the sales processes so that they become services tailored to the consumer using the latest technologies: from e-commerce to IoT, from blockchain to augmented intelligence. It is not just about buying or selling from home, but finding the right mix of services that allow the consumer to feel comfortable.
In order to properly customise services based on the profiles and needs of consumers, the consumers’ data must be accessed in compliance with governing privacy rules.
Data protection and guaranteeing privacy are therefore issues, under the Cybersecurity area, on which the distribution market must focus.
An important factor for this type of business is certainly the trust mechanism that is established with the consumer. In other words, the consumer must overcome the mistrust regarding the potential risk of abuse when his/her personal data are used. The service provider has a responsibility to protect consumer data from potential cyber-attacks in order to avoid undermining the relationship of trust created.
Today everyone remembers when, in 2013, data relating to encrypted PINs of debit cards, names, addresses, telephone numbers and e-mail addresses of consumers were stolen from a leading distribution company. At present, things have not changed a great deal. The number of stolen credit cards and related credentials exceeds tens of millions and the cost on the dark web of a credit card with related credentials is less than that of a medical record. Obviously, this information is not stolen only through online portals of the retail sector, but the consumer remains concerned and wants increasing reassurance on the processing of his/her data.
Regulations help identify the most appropriate security control for risk reduction. Some legislative references and useful suggestions are provided below:
- Manage all access and activity logs on personal data in compliance with governing regulations (Article 30 of the GDPR, Records of data processing);
- Pseudonymise the data accessed in order to guarantee privacy and confidentiality of the original data;
- Ensure that the data is not accessed if the owner has not given consent or that access is removed if the owner decides to revoke the consent;
- Ensure that the data is logically and physically eliminated if requested by the owner (Article 17 of the GDPR);
- Inform the authorities in the event of a violation of sensitive data, providing the necessary information;
- Ensure the data is adequately protected.
Data protection requires making an assessment that identifies the most appropriate security control to implement. Log management, pseudonymisation, consent management and the right to be forgotten are, in fact, concepts for which IT security implementation processes must be developed.
Certainly, the first question that must be answered in order to protect against cyber-attacks is: what data must be protected? In order to answer this question, it is useful to start from micro-segmentation.
Micro-segmentation is a technique that enables security controls to be applied to assets in the data centre or cloud as a function of need. Micro-segmentation allows for greater flexibility and granularity compared to the classic segmentation of networks and applications, making it easier to block lateral movement between data centres, clouds and hybrid environments.
Once the data centres and cloud deployments have been micro-segmented, all the devices (hardware and software inventory) that are part of the supply chain must be identified and managed, verifying that there are no malware or ongoing attacks. In addition, the absence of vulnerabilities must be certified by accelerating the vulnerability resolution and management process. For this reason, integration between the inventory process and SIEM (Security Information and Event Management) is strongly recommended.
In conclusion, here is a summary of useful recommendations for companies that want to operate safely in the area of Retail 4.0:
- Compliance with regulations: guarantees not only that the company will not be fined for breaches, but also improves the consumer’s perception of the multi-channel functionality of Retail 4.0;
- Verify that the elements that make up the supply chain are not compromised: for example, by using EDR systems, or Endpoint Detection and Response;
- Don’t forget discovery of sensitive data: a fundamental activity for robust protection of sensitive data.
- Implement the integrated SIEM process: for example, through inventory and patch management processes.