In Retail, the most glamorous industry, is firmly linked to fashion and lifestyle, but it also encompasses a rather sensitive aspect, which has to do with data security. There is the need to have a security system in place to enable employees to handle customer data without any chance of leakage or misuse. It is critical to create awareness amongst the users about the security threats that are involved.
The IT heads in the retail industry have been putting a privacy policy in place to address various security objectives and challenges. The key priority for Ashish Chandra Mishra, Chief Information Security Officer (CISO), TescoHSC, which is part of the $100 billion retail Tesco group, has been to safeguard the confidentiality, integrity and availability of the companys information. The same priority holds true for most CISOs across the retail segment. They aim to build good security system with a logical risk based approach, by use of finite resources, and in definite timeline.
Security priorities & challenges
For Globuss Mehriar Patel, CTO & Head-IT, the challenge is to have an effective security framework to deal with latest malware and virus attacks, which are affecting the businesses.
Ashish Chandra Mishras priority is to ensure good information security and business continuity governance through management support and stakeholder involvement. My biggest challenge is to ensure that every employee joining the organization is aware of the role he plays in keeping the information secure. Half the battle is be won when there is adequate awareness, says Mishra.
Pertisth Mankotia, Head-IT, Sheelafoam Pvt. Ltd., aspires to see that there is no data leakage, no data is corrupted, and there arent any attacks from viruses, etc. The challenge, Mankotia feels, is to handle two kinds of security - physical as well as logical. Interestingly, Sheelafoam discovered several security loopholes within the system after a risk assessment check performed by Ernst & Young. We had to tighten our security measures by stringent policies and tools to plug these loopholes, which possessed the potential of facilitating data leakage, informs Mankotia.
Security tools in action
The IT and security heads in the retail have not deterred from investing on vital technologies and solutions. They have managed to convince the top management about the losses that might have to be incurred if these solutions were not in place.
For Mishra, it was essential to review the security policies and procedures and bring in relevance with changing threat phenomenon. We revamped our business continuity plan, implemented security information and event management (SIEM) solutions. The ArcSight SIEM evaluation tool has met our requirements in terms of log retention, compliance and threat management.
After the audit assessment, Mankotias task grew multi-fold and he went ahead to create separate DM zones for each of the product range, be it LAN, Servers, PPN, MPLS etc. He created a secure policy framework around them. We deployed UTM boxes and manageable multi layer switches, CCTV cameras etc., to make our infrastructure and data secure with appropriate passwords, maintains Mankotia.
With increased use of mobile devices and over 200 users accessing Business Intelligence application on these devices within the company, Mankotias is also tasked with the responsibility of deploying best possible encryption tools.
Globuss Patel upgraded Sonicwalls UTM tools to incorporate data leakage prevention systems, which give all levels of security on a single framework, and are also very manageable, so that information is easily accessible to different layers of the business. It called for different phases of implementation process including that of identifying the problem, brainstorming with the vendor if the device met the desired need, deploying it without interrupting other functionalities and check if it supported the latest OS and all the devices, informed Patel.
Patels idea was to limit the access of critical data like finance, operation and marketing data to the respective department heads only and prevent it from leakage.
Best Practices
Surprisingly the retailers, who work on stringent budgets, have been spending to get their regular security audit done. The IT heads have been awarded budgets to deploy best of breed solutions. IDC too sees the increase in the IT spend to the tune of 20%. The retail companies have witnessed almost over 25% business growth during the fiscal year.
As a best security practice, TescoHSCs Mishra has rolled out Hygiene control, its global awareness campaign amongst its employees to test and certify each individual, on where he or she stands in terms of adhering to security policy and procedures.
The company also spends about 12% of the total IT budget on the security deployments.
However, Mishra opines that the best practices essentially revolve around the fundamental principles of Need to Know, Maker Checker concept, least privilege, sound documentation (do what you write and write what you do), etc.
Amidst constraints, Sheelafoams Mankotia has invested around Rs 30 lakhs on deploying UTM and manageable layer 3 switches as an immediate need to check the data leakage and created 12 DM zones to ensure absolute privacy.
The new practice that Patel introduced is to have risk assessment done to design a new security framework and invest in user management and education for internal audience. The above best practices help in identifying the gaps in the current security state as compared to the requirement. It then helps in designing and implementing solutions to close those gaps and ensure ongoing conformity, informs Patel.
Going Forward
Security heads of the retail groups look at data loss prevention as the key requirement while strengthening the control around software. Mankotia will go in for a DLP as an immediate need and put a single sign off policy across functionalities such as ERP, BI and others. Sheelafoam expects to incur more investments going forward which would be in the tune of over 30 lakhs in deploying new security tools.
Complying with his peer, Mishra sees DLP system, encrypted USB computing environment solution, as an immediate need. He also opines about tracking emerging trends around converging security platforms, cloud computing and virtualisation. The idea of complying with the regulatory framework also needs to be kept in mind.
Patel plans for security practices that centre on mobile security and virtualisation environment.
Add new comment