It’s hard to imagine a retailer that isn’t reviewing its data security following the recent spree of cyberattacks on businesses in the Asia Pacific region, from Woolworths’ online marketplace MyDeal in Australia, to the online marketplace Carousell in Singapore. Many cybersecurity experts say these attacks could have been avoided if the businesses had been more vigilant, but they also caution that simply increasing data security measures isn’t enough to protect a company against cy
cyberattacks in future. What is needed is a mindset shift. “The fundamental problem is that companies focus on establishing digital processes, offering new services, collecting data for potential new, previously unknown, business cases and then build cybersecurity controls to prevent attacks,” Carsten Rudolph, a professor in the department of software systems and cybersecurity at Monash University, told Inside Retail. “The focus is not on establishing secure systems with risk minimisation in the case of data breaches.” Time for an overhaul Rudolph believes that organisations need to start thinking differently about the complicated world of cybersecurity. “We should expect all our systems to potentially have vulnerabilities. As long as we don’t focus on establishing secure systems, there will be more successful attacks,” he said. When companies perform risk analysis, they should assume that their networks will eventually be breached. This is something many companies don’t even consider. Therefore, Rudolph believes that companies should minimise the amount of data they store or have available in their networks, use advanced security mechanisms, such as encrypted databases, and securely de-identify data, so that it doesn’t put consumers at risk if it is stolen. He also believes companies need to be more transparent with customers about the data they are storing and their reasons for doing so. “Customers should be empowered to get an actual choice between data being stored and potentially losing some of the comfort and functionality of digital services,” he noted. Just because companies have multiple layers of security controls doesn’t mean they are safe from cyberattacks. While firewalls, multi-factor authentication and intrusion detection are good, they’re not enough. “It is necessary to change the way data is stored, minimise data retention, work with customers to empower them to control their data and work with cybersecurity research to fundamentally integrate security into solutions,” Rudolph said. Finding the right balance The Australian government has proposed a number of changes to the country’s privacy laws to increase penalties for companies subject to major data breaches. The changes would lift maximum penalties for serious or repeated breaches from the current A$2.22 million to either A$50 million, three times the value of the benefit obtained through the misuse of information, or 30 per cent of turnover in the relevant period, whichever is greater. But Rudolph is sceptical that these changes will have the desired effect. “Increasing fines might increase compliance, but it will not fundamentally improve the state of the art. Governments need to find the right balance in supporting digital solutions and securing these solutions,” he said. “Policies need to actually focus on establishing secure systems and make it mandatory for companies holding very critical personal [information] to build solutions with built-in security.” As organisations in Southeast Asia embrace a digital-first mindset, cybersecurity remains a high priority investment area for the majority of the businesses in the region. A recent IDC Asia-Pacific Security Sourcing Survey found that organisations expect to spend US$6.1 billion on cybersecurity (services, software, and appliance) by 2026, reflecting a CAGR of 13.6 per cent from 2021. Ransomware on the rise Meanwhile, a whitepaper from British cybersecurity firm Sophos Group found that 77 per cent of retail organisations were hit by ransomware in 2021, up from 44 per cent in 2020. gave some interesting insights into the state of ransomware in retail this year. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. This is a 75 per cent rise over the course of a year, demonstrating that adversaries have become considerably more capable of executing attacks at scale. Overall, the average ransom payment came in at US$812,360, nearly five-times the 2020 average of US$170,000 (based on 282 respondents). In line with this trend, the overall cost to retail organisations to remediate a ransomware attack also dropped over the last year, down from US$1.97 million in 2020 to US$1.27 million in 2021. Many retail organisations choose to reduce the risk associated with ransomware attacks by taking cyber insurance coverage. Nonetheless, it’s getting harder for retail organisations to secure cyber insurance coverage. This has driven almost all retail organisations to make changes to their cyber defences to improve their cyber insurance position.