The Australian government has recently warned of a “dystopian future” where digitally connected cities may be “held hostage through interference in everything from traffic lights to surgery schedules.” Home Affairs Minister Clare O’Neil highlighted the dangers that come with our increasingly connected society and the need for better preparedness across government and businesses.
Retailers across Australia are uniquely vulnerable to a diverse range of threats and attacks. The complexity of retail supply chains, the number of external vendors and the personal data that passes through (and is still often stored in) a retailer’s systems means they are a prime target for cyber criminals.
Why? Because not only is the data of high value to cyber criminals, but also because of the ability to exploit weak links in a complex security chain. Additionally, the huge volume of digital collaboration that occurs both inside and outside of retail organisations, particularly post-COVID, needs to be managed safely. This digital collaboration is due to disparate internal teams, contractors and external organisations as part of the supply chain that operates across networks.
So, as prime targets, what can retailers do to avoid becoming the next victim of this dystopian future?
More is less
Retailers have historically taken an aggressive approach to collecting and maintaining customer data to build a 360-degree view of their customers. What many have failed to realise is that data is now a liability making them a target for cyber criminals.
It’s no longer acceptable to simply collect and ‘store’ data. Whether that be internal documents or customers’ personally identifiable information (PII). Instead, retailers must define and implement a data lifecycle management policy that includes disposal of information once it has reached its useful life or is no longer required.
Just like stock in a retailer’s warehouse, it’s not sustainable or wise to hold onto data longer than needed. Retailers must assess data as it’s created or shared, defining the period it is required to be held (retention), and then setting up automated triggers and processes to ensure data is not accessed or kept within the business unnecessarily (classification).
Getting your data in a row
Firstly, retailers need to be organised when it comes to data collection and consider how data is created and/or collected. When it comes to customer data, retailers need to understand what customer data they are collecting (for example, credit card details) and why (for example, to process a transaction as a one-off activity). This first step ensures it’s far easier to identify and therefore to manage customer data during its lifecycle.
Secondly, a security permissions structure needs to be created to prevent unauthorised or unnecessary access to data by employees, contractors or supply chain organisations. Digital collaboration means we can no longer stamp ‘classified’ on a manila folder and ‘call it a day’. For example, everything in an organisation’s shared drive should have automated policies in place that manage access to specific folders or documents based on classification.
Security permissions also need to honour the data subject’s preference for how their data can be used when they provide the information. For example, not granting access to customer addresses to staff unless required to fulfil a specific function. This will prevent misuse, as well as make it more difficult for attackers to gain access to certain protected data.
Lastly, retailers need to build out retention and disposition rules based on specific policies, regulatory and compliance requirements. Most importantly, data should only be kept as long as it’s required, especially sensitive information that is more likely to be the target of a breach (such as PII as has been seen with Optus, Medibank and most recently Latitude Financial Services). As mentioned, tagging or classifying data when it’s created and/or collected allows retailers to automate this process.
Recent breaches have shone a spotlight on how retailers, particularly those collecting personally identifiable information, are mismanaging the customer data they hold. The growing complexity of threats and the sheer volume of data being collected and shared by organisations has led to a growing trend of outsourcing data management to ensure bespoke plans can be effectively implemented and maintained, leaving no gaps.
Having a data lifecycle plan in place is now not only good business, it’s critical to a retailer’s long-term success. This is being recognised by insurers as well, with retailers now even able to reduce their insurance premiums by showing that a data lifecycle plan is in place in their organisation.
In a ‘dystopian future’, taking a preventative and proactive approach to data management will put retailers one step ahead of the chaos.
Max McNamara is managing director for Australia & New Zealand at AvePoint.