Embed Size (px)
Citation preview
The retailerEY’s publication in consumer products and retail sector
October - December 2014
ForewordDear reader,
We are happy to present to you the October–December 2014 edition of The retailer, our quarterly publication on the consumer products and retail sector. In this edition, we largely focus on the e-Commerce market and elaborate on the evolution of the Indian consumer, data and IT security as well as some innovations in the Indian and global e-Commerce markets.
In the first and second articles, we provide an overview of the Indian e-Commerce market and focus on the evolution of Indian consumers. The first article takes a comprehensive look at the different elements of the e-Commerce opportunity and its trends, which may have a positive or negative impact on the market. The second article provides insights on consumers’ online buying behavior.
The third article elaborates on ways in which consumer companies can leverage data privacy norms to their advantage, especially those relating to personally identifiable information (PII).
Companies are becoming increasingly concerned about data integrity, regulations, data-protection requirements, etc., due to rapid upgrading of and additions made in the capabilities of mobile devices and consumers’ adoption of these applications. In view of this, the fourth article provides a high-level process that will enable users to assess the risks faced by mobility devices.
In our “Innovation board” section, we present you snapshots of recent innovations in the Indian and global e-Commerce markets.
We hope you enjoy reading this issue of The Retailer and we look forward to your valuable comments and feedback on it.
Pinakiranjan Mishra
Partner and National Leader, Retail and Consumer Products EY, India
Celebrating six years of The retailer
Contents
Involve yourself:
We look forward to hearing your feedback and suggestions.To contribute to editorial content, please contact Ashish KakwaniT: +91 22 6192 0423 E: [email protected]
e-Tailing revolution in India: opportunity for traditional Brick & Mortar retailers 04
The omni-channel option in India 10
Data privacy in consumer products sector 16
Security of mobility devices 24
Innovation Board: e-Commerce 32
4 | The retailer
e-Tailing revolution in India: opportunity for traditional Brick & Mortar retailers
1
services to Indians by 2015, 175 million broadband connections by 2017 and 600 million broadband connections with a minimum download speed of 2 mbps by 2020.2
A prime driver of the present and future growth of online users has been the rapidly reducing prices of smartphones and their increasing adoption in the country. Smartphones are leapfrogging laptops or desktops as internet devices. According to a study conducted,3 penetration of smartphones in India is set to grow from 10% (90 million devices) in 2013 to 45% (520 million devices) in 2020, and play a vital role in the growth of e-Commerce in the country.
India’s online payment infrastructure has improved significantly due to increased security and fewer people failing to make payments. This has resulted in the volume of online payments rising rapidly. The volume of online payments expected to touch INR1200 billion by December 2014, a 40% increase from INR858 billion last yeari. Moreover, given the low penetration of cards and internet banking in India, the Cash on Delivery (CoD) option provided by online sellers has played a significant role in
the growth of e-Commerce as the only viable mode of payment for many Indians. More than 50% of e-Commerce orders use the CoD option.
Logistics continues to be a major challenge with unreliable third-party logistics companies, the need to handle cash with more than half of sales paid for in the CoD mode, return rates being
2 The National Telecom Policy 2012 retrieved from http://www.bbnl.nic.in/upload/uploadfiles/files/ntp2012.pdf ,3 November 2014
3 “Smartphone penetration to reach 45% in india by 2020: Ericsson,” www.indiaexpress.com, http://indianexpress.com/article/technology/technology-others/ericsson-identifies-key-elements-of-mobile-broadband-growth-in-india/, accessed 3 November 2014
The e-Commerce revolution in India’s retail sector no longer seems a myth with news of single-day revenue from sales exceeding INR6 billion and billion-dollar investments in online retail ventures valued at multi-billion dollars.
A decade ago, many traditional retail players believed that the online retail channel was not suitable for India due to the multiple challenges faced, e.g., (a) consumers wanting to touch and feel products before buying them,(b) limited penetration of the internet and inadequate broadband infrastructure, (c) inefficient payment infrastructure with low penetration of cards and online banking among Indians, and (d) deficient logistics and warehousing infrastructure, coupled with complex interstate tax regulations.
While these challenges continue to exist in the country, online retail or e-Tailing has grown at breakneck speed, with a CAGR of 56% over the past five years. It is amply clear that the e-Commerce revolution is firmly entrenched. In fact, all predictions suggest that we are only seeing the “tip of the iceberg” and can expect many more innovations in the domain.
One of the main reasons for this growth has been the increasing affordability and ease of accessing the internet. The number of internet users in India is estimated to be 240 million by the end of 2014, with around one out of five citizens having access to the internet.1
The Government has recognized the fact that improved broadband connectivity is an integral driver of socio-economic performance in the National Telecom Policy, 2012. It therefore plans to provide affordable and reliable broadband-on-demand
1 Internet & Mobile Association of India (IAMAI) data
Source: Crisil research
3891
139
334
504
2007-08 2009-10 2011-12 2012-13E 2013-14P 2015-16P
Online retail market size and growth (INR billion)
CAGR 2007-08 to 2012-13 :� 56% Next 3 years: 50-55%
5The retailer |
high as 10% and the absence of an address-verification system. This has resulted in a proliferation of orders with fake addresses. e-Tailers have been addressing this issue by building their own logistics networks or working with multiple third-party service providers. Moreover, while traditional logistics organizations such as GATI, DTDC, Blue Dart and FedEx now provide exclusive services for e-Tailing shipments, several innovative e-Commerce-focused logistic companies such as Chhotu.in, Unicommerce and Delhivery have begun offering services including last-mile delivery, third- party and transit warehousing, reverse logistics and offline payment collection options. Even India Post is reported to be exploring the possibility of providing specialized logistics e-Commerce solutions.4
On the policy front, the present multiple tax structure, which
4 The Hindu Business Line news report retrieved from http://www.thehindubusinessline.com/industry-and-economy/logistics/india-post-open-to-ecommerce-prospects/article5792400.ece/, accessed 3 November 2014
4.0% 4.4% 5.1%
7.5%
10.1%
12.6%
17.0%
19.2%
0%
5%
10%
15%
20%
25%
0
5
10
15
20
25
30
Internet penetration in India
Source: EY Research
2007 2008 2009 2010 2011 2012 2013 2014
Inte
rnet
pen
etra
tion
in In
dia
Num
ber
of in
tern
et u
sers
in In
dia
(in c
rore
s)
needs decentralized state-based warehouses to be tax-efficient rather than have large facilities (which would enable warehouse operations to be more efficient), is expected to change with the implementation of the proposed Goods & Service Tax (GST), giving a boost to the e-Tailing industry.
Consumers are gradually moving to online retail options due to ease of access to the internet, and improvements in logistics and payments. While online retail contributed only 10% of the value of the e-Commerce market in 2009, the figure rose to 18% in 2013. Today, it accounts for a mere 0.4% of the total retail market. It is expected to grow at a CAGR of 55% from US$2.3 billion in 2013 to US$32 billion in 2020.
Total retail and online retail sales in India (US$ billion)
Source: EY research
Represents total online retail market
Represents total retail market
2013
2020
$525b
$2.3b
$1,040b
$32b% share of e-tail market in total retail market grows from 0.4% to 3.2%
6 | The retailer
running costs to operate these due to high real estate prices and rentals; escalating electricity costs; costs incurred on hiring, training and retaining store personnel, and to manage optimum inventory levels in their stores (since excess inventory increases storage/carrying costs and shortage of inventory leads to loss of sales). Pure play online retailers can maintain their inventory at centralized warehouses off city limits (with low rentals) or source products from suppliers on demand.
Furthermore, physical store retailers also need to contend with “showrooming,” wherein customers touch and feel merchandise in their stores and then search for higher discounted online deals. Online retailers even have mobile apps to help customers scan the barcodes and QR codes of products to instantly access discounted prices on similar products and purchases online.
To stay in the game, brick and mortar retailers have been working on their online strategies, e.g., the Future Group started Futurebazaar.com in 2007 and Shopper’s Stop its online store in 2008 at around the same time as today’s success online ventures such as Flipkart, Myntra and Snapdeal were founded as startups. However, the former have had limited success in their online businesses till date with low order volumes and poor integration with other sales and
However, while new ventures such as Flipkart, Myntra, Snapdeal and Jabong have been able to cash in and benefit by the e-Commerce revolution and are poised to grow further, traditional retailers have been struggling and facing several challenges in establishing their presence on the online retail platform.
Challenges facing traditional “brick and mortar” retailers
Online retailers lure customers with their value proposition of competitive pricing and convenience. They offer discounted prices, a wide choice of products, free product delivery options, the convenience to pay by cash on delivery and most have a convenient return policy. Some even go so far as to offer a “trial and buy” option in the case of apparel and footwear, wherein customers can try multiple sizes and fits once the merchandise is delivered at their doorsteps and then pay for what they decide to retain or return what they do not want to the representatives of courier companies. Consumers are fast adapting to the convenient way of making purchases from the comfort of their homes or workplaces. This has negatively affected footfalls in physical stores.
Moreover, traditional retailers need huge investment of capital to set up physical stores and incur high
7The retailer |
delivery channels to benefit from cost synergies. Many physical retailers have not even tried to define their online strategies on their websites, although some display their ads on the internet and have a presence on social media channels.
Opportunities for physical retailers: omni-channel options
While the challenges faced by traditional retailers are numerous, they still have their unique strengths — physical store networks in the vicinity of customers’ homes, the capability to provide enhanced customers services at their stores, a deep understanding of customers’ requirements, merchandising capabilities, nationwide warehouse infrastructure and mature relationships with suppliers. These strengths, combined with new capabilities for providing a seamless shopping experience, such as customers having an integrated view of online and store inventory, and the choice to place orders on channels, stores’ sales staff having access to purchase history and preferences shared by consumers on media channels and seamless fulfillment of orders e.g., by orders given at stores being delivered at home from warehouses, internet customers having access to inventory at stores, option of orders being collected at nearby stores, provides traditional retailers the opportunity to offer high-level customer services and then get back in the game with online retailers.
Customers can have a choice of touch-points to transact with retailers at their own convenience and avail of a standard brand experience across channels. For instance, a customer may become aware of a product in a television ad or a promotion in a social media ad, read product reviews on a web store, reserve the product a trial on a mobile app, go to a store to touch and feel the product, and then place an order. Customers decide on the channels with which they will interact and find retailers always available on one or more of them. They also find themselves “remembered” and their information shared across channels, which obviates the need for them to repeat themselves. Furthermore, their experience is personalized, based on their past transactions, buying behavior and other data they may have shared. Retailers can plan coordinated campaigns across channels and have the opportunity to optimize their marketing costs. They see the conclusion of a large number of consumer purchase journeys and their being converting into sales instead of abandoned, as consumers are kept engaged on many channels. Retailers can also try to work the matter out to their advantage with “reverse showrooming” or “webrooming,” wherein consumers go to online stores to research products, get vouchers and use these to purchase products in physical stores, which have knowledgeable sales staff to guide them. Retailers also have the opportunity to use customer data across channels (to nudge them on their purchasing journeys) with personalized offers and optimize their promotional expenditure. Furthermore, retailers can
WebMobile app PhoneStore
Store Neighboring store
Retailer’s warehouse
Manufacturer ‘swarehouse
Order taken at
Inventory carried by
Order fulfilled at
Single customer profileOverview of omni-channel value chain
Home Store Delivery hub
8 | The retailer
also use customer data to provide up-sell and cross-sell recommendations and increase their revenue per customer. Finally, the retailer does not need to carry inventory at all times at all its stores and saves on inventory costs as customers become comfortable about ordering out-of-stock items to be picked up by them later or for home delivery.
Customers also have a choice of order delivery options. They can opt for same day in-store pickup, delivery hub pick-up or home delivery. For instance, almost half of the US consumer digital retail major Best Buy’s online customers select in-store pickup as their preferred delivery mode. For Best Buy, this has its advantages. First, many customers do not want expensive electronic goods delivered at their homes or on CoD when they are not there, and this provides them a convenient option to pick these up at stores. Second, it gives customers the opportunity to use products at stores where salespersons can guide them. Third, customers end up buying other products when they go to stores to collect their orders, for instance, the accessories electronic products. For example, Macy, an American departmental store, encourages shoppers to scan products on their mobile apps and buy these at brick and mortar stores in order to close the gap between stores, desktops and mobiles.
The need to create options for customers is such that even pure-play online retailers realize the need to set up physical stores and delivery hubs, since even the most digitally “savvy” customers want to touch and feel some products before buying and collecting these. For example, CaratLane, a Chennai-based jewelry e-Tailer, has physical stores, where customers can try on samples of the jewelry before buying these online. Similarly, Amazon is conducting trails on using neighborhood grocery stores and petrol stations as delivery points.
Where to start?
For omni-channel to deliver on its potential, retailers need to have integrated strategies across functions including marketing, merchandising, store operations, supply chains and customer services. For instance, their marketing needs to ensure that their in-store and online promotions are similar. Supply chains need to manage common inventory for stores and online sales, and leverage common delivery channels for stores and
customers’ home deliveries. Merchandising can negotiate joint strategies with manufacturers, e.g., “drop ship,” to increase the efficiency of supply chains and counter threats from the marketplace. Store staff needs to handle complaints on online orders, accept returns and help customers to place online orders for out-of-stock inventory. Customer services need to expand from call centers to include the functions of sales representatives, logistics, marketing, etc. Most importantly, the structure of an organization should encourage overall business results rather than create conflicts between channels.
This also means aligning the people, processes and technologies of retail organization, based on the objectives of the omni-channel. Processes need to be implemented to ensure a seamless experience, while considering different possibilities such as the buy online, ship to store for customer pick-up; buy online, reserve inventory already in store for a later customer pick-up or home delivery from store; buy in store, ship from another store or warehouse to store for a later pick-up or home and buy online, ship to homes after collecting inventory from multiple warehouses and stores options. Retailers should ideally prioritize a few of these options and build from there rather than try and do it all at once.
Furthermore, people need to be trained to “think omni-channel,” for instance, by stores’ representatives selling customers merchandise that may in fact not be in the stores (whether they are out of stock or not even carried in particular locations), planning coordinated campaigns across channels to maximize channel sales and optimize costs, with logistics personnel planning inventory across channels to balance inventory-carrying costs with reduced delivery times.
And finally, technology needs to be put in place to support processes and people — by transferring customer data across channels real time and creating a unified view of customers across channels for personalized offers and cross-sell/up-sell recommendations; enabling an integrated view of inventory so that sales representatives are empowered with their view of inventory across store networks and warehouses, and can promise delivery dates to customers; enable distributed order management for fulfilment of orders from multiple sources and optimize logistics costs and delivery time.
9The retailer |
Goutam Yenupuri Manager
Goutam is a Manager in EY’s IT Advisory practice and is based in Mumbai. He has more than seven years’ experience in working with clients at the intersection
of business and technology in their customer (marketing, sales and service) operations. His experience has been predominantly in the consumer and retail domain, where he helped clients by defining business processes, advising them on innovation and best practices in the industry and on implementing best-in-class technology solutions. He is currently interested in new opportunities, such as omni-channel commerce, digital marketing, and mobility and analytics, available for businesses in the digital age.
Email: [email protected] Tel: +91 9619 200 825
Asheesh Malhotra Partner
Asheesh Malhotra is Partner in EY’s IT Advisory practice. He leads its IT Strategy & Transformation practice and is based in Bangalore. He has rich experience in
advisory services in the UK, the US, the Middle East and the Asia Pacific. Asheesh has advised organizations in sectors including Financial Services, CPG, Utilities, Manufacturing and Pharma. He has wide experience in the Business and IT Transformation, including Service Transformation, Cost Optimization, Portfolio Rationalization, Enterprise Architecture and Emerging Technologies (including Cloud Computing) domains.
Asheesh is focused on the Digital Transformation space, especially opportunities organizations will have access to with the convergence of cloud, mobility and analytics. His specific interest is in the areas of digital business models, customer experience, and digital operations and workforce.
Email: [email protected] Tel: +91 80 67275743
In conclusion
In the fast evolving digital world, retailers need to adopt a “sense and respond” approach wherein they devise digital strategies that is specific to their business models, continuously monitor the results as they implement their digital initiatives and evolve these through focused interventions.
10 | The retailer
The omni-channel option in India2
India is at the cusp of an e-Retail revolution1…
Defying India’s economic slowdown, the e-Commerce and omni-channel segments have emerged among the fastest-growing in the sector. The e-Retailing market (online shopping for physical goods) valued at US$ 2.3 billion in 2013, accounting for less than 1% of overall retail sales. However, as more and more consumers opt for the omni-channel mode, online shoppers are expected to grow by 6.5x to reach 130 million and per capita spend to quadruple to INR28,000 by 2020. This is projected to result in e-tailing witnessing a CAGR of 55% to reach US$32 billion and accounting for more than 3% of the retail market by 2020.
…following the trajectory of leading e-Commerce markets2
Notwithstanding the boom in online shopping in India, over the last couple of years, its e-Retail market is largely untapped in comparison with China’s and the US’. Penetration of online retail in the country (online buyers as a percentage of internet users) stood at 9% in 2013, compared to 47% in China and 70% in the US. Therefore, India has the potential to generate hyper-growth revenue such as what has been witnessed in China and the US.
1 1 US$ = INR 61.7; “India Internet Sector,” Credit Suisse, September 2014, via ThomsonOne Banker.
2 “India Internet Sector,” Credit Suisse, September 2014, via ThomsonOne Banker; “Chinese Consumers Moving Online - China has surpassed the U.S. in Online Retail Sales,” http://keeglobaladvisors.typepad.com/kga/2014/05/chinese-consumers-moving-online-china-has-surpassed-the-us-in-online-retail-sales.html, accessed 7 November 2014; “India’s Unicorn Company Aims High,” http://www.huffingtonpost.com/sramana-mitra/indias-unicorn-company-ai_b_6015324.html, accessed 13 November 2014.
With eco-system enablers gradually falling into place, will India follow a growth curve similar to that seen in China? Although it is lagging behind the latter by six to nine years in terms of its internet metrics, India is expected to reach a stage that was a tipping point for China in 2006–2013 when accelerated penetration of the internet in urban and rural areas, rapid proliferation of mobile devices and buoyant consumer demand fueled an explosive growth (with a CAGR of 90%) in e-Commerce sales.
As witnessed in India, Chinese companies faced consumer-related challenges in the area of online purchases, e.g., in trust, security, privacy and safety of online payments. e-Commerce operators in the country successfully overcame these challenges by investing heavily in advertising to build consumers’ trust and by offering them innovative payment options. To enable consumers to reach the “pro-online buying” stage, companies also introduced the COD option to foster the early development of the e-Commerce market and transitioned to online payment mechanisms as consumers became confident about this option.
India and China share several challenges, particularly in terms of logistics and low penetration of retail in smaller cities. However, India has a demographic advantage with its large “tech savvy” youth population, which has a propensity to make online purchases.
11The retailer |
90s 2000-10 2010 -present Future
China = $ 297b; 9%
India = $2.3b; <1%
Comfort with using credit card online
Amazon dash, same-day delivery, drone-delivery experiments
Consumers getting comfortable with electronic payments
The US = $263b; 6%
Catalyst for growth
Inflection point
Current state
What are the catalysts for e-shopping to take-off?
Low physical retail penetration + increasing broadband, mobile/smartphone penetration + COD, ‘try and buy’ and ‘same- day’ delivery + young tech savvy population
Low physical retail penetration + increasing broadband and mobile penetration + consumer acceptance of marketplace model+ cash on delivery (COD)
Note: Dollar values indicate e-retailing market size in 2013; percentage figures indicate e-retail as a % of total retail market in 2013Source: EY analysis ; Credit Suisse, emarketer; “China’s online retail market squeezes bricks-and-mortar shops,” http://www.scmp.com/property/hong-kong-china/article/1598016/chinas-online-retail-market-squeezes-bricks-and-mortar, accessed 4 November 2014
12 | The retailer
India China The US
India has a young population (%, below 35 years)…
64% 49% 47%
…and has internet users (mn, 2013) nearing US levels
213 620 270
Significant potential for online payments mechanisms
16%45%
82%
10%44%
70%
2%20%
54%
Internet Smartphone Credit card
Will COD evolve on the lines of China?
Debit/ credit cards Internet banking/ e-wallet Cash on delivery
20%
20%60%
45%
25%
30% 2%
78%
28%
Source: EY analysis; Business Monitor Intelligence; TRAI; Goldman Sachs; Euromonitor
Penetration (%) of
Payment mix (%):
How do building blocks of online retail in India compare with those in leading markets?
Share of mobile in internet retailing is on the rise
18% 18%13%
13The retailer |
What is driving change?
Rise of the “digitally empowered” consumer3
India’s online shopping landscape is seeing an evolutionary change, driven by its widespread wireless network and availability of low-cost data plans, which are among the lowest in the world. Around two-third of the country’s population owns mobile phones — nearly twice the number of people with bank accounts. This “digital consumer” is able to shop anytime, anywhere. EY’s recent Consumers on Board report revealed that Indian consumers are among the most digitally knowledgeable worldwide.
In India, 60% of internet users are classified as “mobile-only.” Penetration of smartphones has catapulted from 10% in 2013 to 24% in 1Q 2014 and is expected to reach nearly 50% by 2017. According to Sachin Bansal, co-founder of Flipkart, “Over half a billion Indians will switch to smartphones in the next five-six years…a big driver of e-Commerce in India.”4 Therefore, in order to provide consumers with a seamless experience across all channels and devices, companies need to adopt and implement the omni-channel model as their core strategy to transform their operations, capabilities and technologies.
3 “India needs more banks before more bank account,” http://www.livemint.com/Opinion/RjQNPKizMmeyKq261l4waJ/India-needs-more-banks-before-more-bank-accounts.html?utm_source=copy, accessed 13 November 2014; “Indian Online Market Set to Explode: Google Study,” http://www.newindianexpress.com/lifestyle/tech/Indian-Online-Market-Set-to-Explode-Google-Study/2014/08/21/article2391122.ece, 13 November 2014; “India Internet Sector,” Credit Suisse, September 2014, via ThomsonOne Banker; “Internet Access Drives Revenue Growth in Booming Markets,” http://www.mobilitytechzone.com/topics/4g-wirelessevolution/articles/2014/06/04/380394-internet-access-drives-revenue-growth-booming-markets.htm, accessed 7 November 2014.
4 “India’s e-commerce industry may reach $70 bn by 2020,” http://www.tntmagazine.in/indias-e-commerce-industry-may-reach-70-bn-by-2020/, accessed 12 November 2014.
Digital consumer*** share in the online population
*** Digital consumer is one who either regularly or occasionally uses digital for all or part of his/her purchasing journeySource: Consumers on board – how to co-pilot the multichannel journey,” 2014, EY publication
75%
70%
64%
63%
62%
50%
India
China
Russia
UK
Brazil
US
Initial concerns around the need for…
Source: EY analysis
Why are consumers turning to online shopping?
• “touch and feel”• price bargaining • convenience• range and access to aspirational products• privacy and security of online payments
…are being addressed through innovations and new initiatives
• “try and buy,” 30 day return policy• deals, discounts, coupons • faster delivery• access to a wider basket of goods, which
also act as a bridge to luxury• cash on delivery
Online - winning share of wallet
14 | The retailer
What are the benefits of e-Retailing?5
Omni-channel shopping resolves many challenges faced by consumers, e.g., their ever-growing requirement for convenience, their desire to fulfil their aspirational needs and their access to a wide basket of goods, as well as the lack of adequate physical retail infrastructure (limited presence of organized brick and mortar retailers in 95% of 4,000 to 5,000 cities and towns) in the country. Innovations such as the COD option, accelerated delivery (same day and one-day delivery) options and flexible policies (try and buy, 30-day return and cash back guarantee) have addressed many of consumers’ initial fears.
Emergence of new consumer behavior and shopping patterns…
Consumers are not only shopping online, but they are also using the online option to research products and compare their prices, locate stores, avail discounts and coupons, and read users’ reviews.
New digital consumers in India have begun mirroring the shopping patterns of their global counterparts. “Window shopping” has become passé and has given way to “showrooming” —the practice of visiting physical outlets to get the touch and feel of products and then buying them online at the lowest available price. Additionally, consumers are using their mobile phones while visiting retail outlets to search for product information, compare prices and take pictures of products6.
Consumers initially limited their online shopping to items such as electronics, books and apparel. However, after becoming comfortable with shopping online, they have begun experimenting to make other purchases and also explore new categories including groceries (staples, vegetables and personal care products), imported products, adult well-being products, innerwear and luxury re-Commerce (selling of pre-owned luxury items).
5 “E-commerce – fast and furious,” November 2014, Motilal Oswal, via ThomsonOne Banker.
6 “65% of shoppers visit physical stores before making an online purchase,” http://www.thedrum.com/news/2014/10/20/65-shoppers-visit-physical-stores-making-online-purchase, accessed 7 November 2014.
…and next wave of online consumer segments7
The next wave of online consumerism is likely to be driven by three key segments:
• Young consumers in smaller cities
• Consumers who are comfortable with local language content
• Women
1. As consumer aspirations in tiers II, III and cities beyond converge with those in metros and mini-metros, factors such as limited penetration of retail and inadequate product offerings, coupled with the growing purchasing power of people, penetration of mobiles and shopping apps are creating a “sweet spot” for online channels. In fact, consumers in these regions are seeking value and premium purchases and are already accounting for a significant portion of sales/traffic for select e-Tailers (e.g., 65% of sales at Jabong.com, an online marketplace for clothes, fashion and lifestyle accessories). Yebhi’s CEO and co-founder, Manmohan Agarwal, concurs with this, “The next story for online shopping is going to come from smaller towns in India… and it is time to go beyond the tier II and III cities and go deeper into the real India.”8
2. However, language can be a problem. Snapdeal’s Senior Vice-President of Product Management, Ankit Khanna, notes “We get more than 50% of our sales from tier-II and tier-III cities. Though these customers have realised the power of ecommerce they still don’t have a very good understanding of English”9. This large segment, representing 300 to 400 million consumers, is expected to be a part of the population that is more comfortable with local language content. According to a study conducted
7 “E-commerce – fast and furious,” November 2014, Motilal Oswal, via ThomsonOne Banker; “Now, small towns fuel e-tailers Flipkart, Myntra, Jabong,” http://www.financialexpress.com/news/now-small-towns-fuel-etailers-flipkart-myntra-jabong/1289139, accessed 7 November 2014; “Top e-tailers launching sites in regional languages to woo customers,” http://articles.economictimes.indiatimes.com/2014-07-03/news/51057429_1_ankit-khanna-snapdeal-flipkart, accessed 7 November 2014; “Need more local language content for Internet to bloom in India,” http://www.livemint.com/Opinion/zCFoFUXebEbxBOVq8a2UUJ/Need-more-local-language-content-for-Internet-to-bloom-in-In.html?utm_source=copy, accessed 7 November 2014.
8 “Online retailers turn to smaller towns,” http://www.livemint.com/Industry/dfT9fH0c0YnJ5cmvPIulzL/Online-retailers-turn-to-smaller-towns.html?utm_source=copy, accessed 7 November 2014.
9 “Top e-tailers launching sites in regional languages to woo customers,” http://articles.economictimes.indiatimes.com/2014-07-03/news/51057429_1_ankit-khanna-snapdeal-flipkart, accessed 7 November 2014.
15The retailer |
Chinmay Ojha Assistant Director, Strategic Market Intelligence (SMI)
Chinmay has more than 10 years’ experience in consulting, project management, business development, and research and analysis with
professional services orgsnizations including EY. He has worked on a range of projects, including growth and marketing and sales strategies, entry into and assessment of markets, and analyses of business plans, for leading global and Indian consumer product and retail clients. Chinmay leads the CP/Retail SMI team in India and also helps to drive the thought leadership agenda of the CP/Retail sector.
Inputs from Aakriti Kakkar
Email: [email protected] Tel: +91 124 470 1155
Looking forwardThe growing expansion of the digital mode, coupled with the favorable attitudes of urban and rural consumers, has set the stage for the sustained growth of online shopping in India. While this will take time, e-Tailing is set to become a household phenomenon, fueled by the effort made by business and the Government to ensure widespread mobile connectivity, availability of broadband, efficient logistics and enhanced consumer experiences.
by the Internet and Mobile Association of India, providing content in local languages is likely to increase the number of internet users in the country by 24%, with the figure reaching as high as 43% in rural areas and 13.5% in urban ones.
3. Additionally, online shopping has so far been skewed toward men, who comprise 65% of India’s online shopper base. However, this statistic is seeing a change with changing
lifestyles, the growing importance of multi-tasking and the rising number of women in the workforce. Tech-savvy women are increasingly turning to online portals to fulfil their needs in diverse fields including fashion, footwear, apparel, accessories, food and drink, baby care, hair care and skin care.
16 | The retailer
“After a while you learn that privacy is something you can sell, but you can’t buy it back.” — Bob Dylan
17The retailer |
Data privacy in consumer products sector3
In recent years, consumer companies have been attempting to engage with end consumers to create awareness, and attract and retain them. The digital evolution (e-Commerce, smartphones and smart grids) has been fueling consumer companies’ growth initiatives. In the process, they end up collecting, storing and sharing more information about their consumers than ever before. However, although they intend to use this information to stay connected, innovate and deliver better products and services, they may be unknowingly compromising the privacy of consumers. Take a moment and ask yourself these questions:
• Do you run marketing campaigns in the marketplace and capture consumer-related details?
• Do you gather consumer data in your endeavor to understand consumers’ behavior?
• Have you begun communicating electronically with vendors, dealers and distributors to increase their supply chain efficiency?
• Do you run schemes and campaigns on your website for consumers to share their experiences?
In each of these cases, you are capturing personal information, knowingly or unknowingly. Please bear in mind that globally (and even in India), there are strict regulations on how you protect the personal information of employees, consumers, vendors and various third parties.
What is privacy?
In general terms, privacy is the ability to control how one is identified, contacted and located.
Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personally identifiable information - AICPA (American Institute of Certified Public Accountants)
What is Personally Identifiable Information (PII)?
PII includes information about, or which can be related to, an identifiable individual. Some PII, like financial information, information on racial or ethnic origin, religious beliefs and sexual preferences, is considered as sensitive personal information (SPI).
Information about or related to people, but which cannot be associated with specific individuals, is referred to as “non-personal information”. For instance, information aggregated as part of a survey into statistical tables or summaries, in which the linkage to an individual has been removed.
Data — subject Process Data-collection point Categories of PII processed
Vendor Manufacturing Registration and updates Contact, identification of proof, compliance, financial
Dealer Distribution Registration and updates Contact, identification of proof, compliance, financial
Consumer Sales Point of sale Contact, demographics, financial
Marketing Marketing of public events Contact, demographics
Recruitment — candidate
Human Resources Interview Resume/CV
Employee Human Resources On-boarding Demographics, academic, contact, financial, medical, biometric, employment such as performance, attendance and training
Employee’s kin (for the purpose of insurance)
Human Resources On-boarding Contact, demographics, financial, contact
Visitor Administration/ Facility Management
Visitors’ entry register Contact, details, identity proof
18 | The retailer
Why is privacy important in the Consumer Products (CP) sector?
Retaining consumers’ trust is the key to success for a consumer products company. For instance, a company sharing its consumers’ personal information to a marketing organization for the latter’s use can harm the company’s reputation.
Consumers are concerned about disclosure of their personal information. Marketing calls to sell credit cards, insurance, loans and discount offer coupons abound. Today, consumers feel they have lost control over their personal information as it is freely available in the public domain.
This is just the tip of the iceberg. In the CP sector, collection of PII by a company cuts across multiple processes.
Collection of PII across a company’s value chain, a lot of which is sensitive in nature, brooks the argument that privacy is a risk management issue. This is highlighted by some well-known breaches in privacy.
Some questions need to be answered to address these risks
Do you know where PII is
residing?
Who all have access to PII?
Who is responsible to
protect PII?
Is your cross border PII data flow secure? ?
1. A television production company in the UK
What happened? Hackers accessed 7,000 records of applicants to a TV show. An inspection by the data- protection authority revealed the failure of the producer of the TV show to provide notice, obtain consent and enter contracts with third parties
Impact: Fine of US$1.5 million
2. A large building society and savings provider in the UK
What happened? A laptop containing customer-related information was stolen. No protection was provided.
Impact: Fine of nearly US$2 million for negligent protection levied by the UK Financial Services Authority
3. A data aggregation company in the US
What happened? There was fraudulent use of data by improperly credentialed customer which resulted in a breach of over 140K consumer records.
Impact: Known exploitation of 700+ affected persons; US$15 million in fines by Federal Trade Commission, coupled with significant drop in share price that has taken the company three years to recover (25% loss of US$2 billion market capitalization) and other significant direct costs
19The retailer |
Do you know where PII is residing?
Companies need to know where PII is located in order to apply protective controls on information. The two dimensions to this are:
• Physical location and storage environment: PII records in isolated storage such as a document record room are easier to secure than those on an internet-facing server. The environment, and therefore its security, depends on the manner in which PII is to be used.
• The format in which PII is stored: Whether it is in a hardcopy (paper) or a digital form, or both. Keeping abreast of where and how PII is stored allows companies to put in place effective control mechanisms and manage the availability of PII for legitimate uses.
Who all have access to PII?
With growing regulatory pressure on the importance of maintaining consumers’ privacy, companies are not only required to inform consumers about how and where their PII will be used, but also who will be using it. Notifying consumers of the groups using/processing their PII is considered sufficient for this purpose.
CP companies successfully protecting PII from unauthorized or accidental disclosure manage their access to PII using the following guidelines:
• Limit access to PII to persons/departments that need it in their work.
• Create a mechanism to track who accessed or modified PII records.
• Ensure that external parties collecting or processing PII for the company protect PII adequately. (Access control mechanisms used by companies may be in the form of procedures or software tools.)
Who is responsible for protecting PII?
There are three institutions related to protection of PII:
• Government regulations: Companies are discouraged from misusing PII by enforcement of legal Acts and rules.
• Market regulation: Disclosure of privacy breach in the public domain damages a company’s reputation.
• Self-regulation: Formulation and enforcement of policies, guidelines and procedures for use and dissemination of PII is the most effective and proactive measure for protecting it.
Is your cross-border PII data flow legally compliant?
• Multinational CP companies may transfer data for business purposes such as the following:
• Consolidated storage of data collected in multiple countries in a single database hosted on a company server located in a country
• Coordinated processing of data 24 hours a day by utilizing regional data-processing centers located in different time zones
• Outsourcing of services (platform as a service and software as a service)
• Centralized analysis of data collected in multiple countries
Many countries have enacted privacy-related regulations to restrict transfer of PII outside their boundaries in order to ensure protection of individuals’ PIIs. Non-compliance with these regulations may lead to severe penalties and punishment. These countries may permit a transfer if it is to certain countries that have been recognized for having adequate levels of regulation for protection of PII, e.g., EU countries, Canada and Argentina. In the case of countries with inadequate levels of regulations for protection of PII, companies can transfer PII to these countries if they fulfill certain stipulations. These stipulations, such as Binding Corporate Rules, data transfer agreements based on model clauses and certification for Safe Harbor, may provide adequate assurance on protection of PII.
Privacy regulations in India
In addition to the already heavily regulated security and banking sectors in India, the CP sector will be the most affected by impending changes in privacy regulations in the country. The Information Technology (Amendment) Act 2008 mandates a strong need for data protection. It addresses concerns on data protection and creates a predictive legal environment for the growth of e-Commerce, which includes data protection and cybercrime-related measures.
Section 43A of the Information Technology Act, 2000 highlights several key clauses related to protection of data privacy —
20 | The retailer
defining sensitive personal information, rules related to lifecycle of PII, transfer of information and the need to comply with reasonable security practices and procedures, including with security standards such as IS/ ISO/IEC 270001.
The anticipated Privacy Bill (to be implemented in 2015) treats privacy as the fundamental right of individuals. It will bring privacy-related regulations in India closer to those prevailing in developed economies such as the European Union.
Generally Accepted Privacy Principles (GAPP)
GAPP was developed by the Canadian Institution of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA). It includes criteria and related material for protecting the privacy of PII and can help organizations design and implement privacy-related practices and policies.
12
34
56
78
910
Management
Choice andconsent
Collection
Use, retentionand disposal
Access
Disclosure tothird parties
Security forprivacy
Quality
Monitoring andenforcement
The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
The entity collects personal information only for the purposes identified in the notice.
The entity limits the use of personal information to the purposes identified and retains personal information for only as long as necessary to fulfill the purposes or as required by regulations and thereafter appropriately disposes such information.
The entity provides individuals with access to their personal information for review and update.
The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
The entity protects personal information against unauthorized access (both physical and logical).
The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
Notice
The 10 generally accepted privacy principles are:
21The retailer |
Regulatory changes in privacy around the world
In the past couple of years, several jurisdictions around the world have improved or expanded their privacy-related regulations. We expect similar progress to take place around the world in 2015.
Regulations: opportunities and challenges
The regulatory complexity associated with collection of PII, disclosure of sensitive personal data and cross-border transfers, coupled with lack of clarity in legislation, leads to businesses spending a large amount of money on third-party consultants, legal counsel, etc.
Challenges for the CP sector may arise from the following:
• Decisions to outsource sales or consumer support where significant consumer PII will be accessed by third parties may be a challenge for companies.
• Legislation in India is not keeping pace with explosion of e-Commerce and growth in its CP market. Ambiguity in documentation-related requirements leaves legislation open to interpretation by legal counsel. This means that companies may be considered non-compliant by a competent authority, despite their having taken adequate measures to comply with regulations.
• Shortage of qualified advisors on privacy in India: Reducing risks related to privacy requires a holistic view to be taken of the processes involved and appropriate application of IT to secure data. A privacy advisor is invaluable to an organization in matters ranging from validation of market research methods to ensuring that digital records are protected.
Americas Asia Pacific EMEIA
Brazil: Brazil seeks to mandate that global internet providers store data gathered from Brazilian users within Brazil.
Canada: Bill C-475, working its way through Parliament, will unify and strengthen the country’s approach to breach notification.
US: Although US lawmakers continue to push for a federal data breach notification law, Congress continues to debate whether federal law should supersede state regulations.
Australia: In late 2012, the Australian Parliament passed the Enhancing Privacy Protection Act, which took effect in 2014.
China: In late 2012, China’s Standing Committee of the National People’s Congress approved a directive that strengthened protection of online personal data. The directive came into force in February 2013.
Singapore: Singapore’s Personal Data Protection Act 2013 came into effect in 2013.
South Africa: South Africa enacted the Protection of Personal Information (POPI) Act in 2014 in to give effect to the constitutional right to privacy of consumers. The Act provides businesses that process personal information one year from the date of commencement of the Act to comply with its provisions or face a Rand 10 million fine or 10 years in jail.
EU: Crafted in 2012, expected to be passed in 2015 and enforced by 2017, the EU General Data Protection Regulation is designed to simplify and strengthen the EU’s data protection framework. Instead of complying with the requirements of 27 individual data protection authorities, organizations will only have to address a single set of data protection rules.
22 | The retailer
Disruptive technologies
Advanced robotics, cloud computing and the Internet of Things (IoT) are some of the technologies expected to exert the most influence on consumers’ behavior and in the global economy in the coming decade.
Advanced robotics refers to the design, construction, operation and application of robots having enhanced intelligence and the dexterity to perform various domestic, commercial and military tasks. Surveillance drones, blanket surveillance cameras across major cities and domestic robots with intimate surveillance capabilities are among the privacy-related concerns about advanced robotics.
Cloud computing is the storage and online access of data hosted on remote servers across the world by various computer services. The complexity of varying data privacy laws and regulations across different regions in the world make appropriate storage and back up of data on the cloud a highly intricate process.
The Internet of Things (IoT) refers to the ability to control things that have the internet built into them as well as to analyze their data and report their performance through smartphone apps and websites. Internet connectivity is (and will be) built into a wide range of consumer products — from security systems such as alarms and door locks to automated window shades and car control systems. Think of home automation with your smartphone as a remote and you have got the gist of this technology! Data sourced from the IoT can reveal vital, intimate and identifiable details about owners of devices, e.g., their preferences and habits. Furthermore, this data may have customer PII that can be sold to manufacturers and advertisers.
With a combined potential economic impact of over US$15 trillion in the coming decade, it is clear that there is an urgent need for policy makers and business leaders to anticipate data privacy-related issues resulting from the emergence of such technologies.
23The retailer |
EY’s point of view
Companies can leverage a growing awareness of the need for consumers’ privacy to their advantage. The image of a consumer-friendly company is boosted when it demonstrates its trustworthiness. Taking the time to create new procedures that account for privacy allows organizations to take stock of how and where they use information about their customers. They can then identify opportunities for improvement in deployment of technology and collaboration with third parties, and streamline their internal processes accordingly.
Companies can adopt the following roadmap to address their privacy-related requirements:
• Locate personal information handled/processed across the organization
• Study applicable laws and regulations and identify privacy-related requirements
• Map regulatory requirements related to privacy to organization’s operating control framework
• Update security policies and procedures to incorporate privacy-related controls
• Identify a privacy officer with a clearly defined role and responsibilities
• Embrace privacy as a part of employees’ training on the need to be aware of it
• Include privacy-related clauses in client/third-party agreements
• Independently assess specific privacy-related regulations or leading practices
• Use third-party tools to control leakage of personal information
• Establish continuous control monitoring
Ultimately, privacy should not be a trade-off against the convenience of businesses, but complementary to them. To achieve this goal, organizations will have to go beyond mere compliance, and formulate new policies and procedures to keep pace with the rapidly changing face of technology. A collective effort on behalf of the entire stakeholder community is required to demonstrate the industry’s commitment to maintaining consumers’ privacy.
Nitin Mehta Director
Nitin Mehta is a Director with EY Advisory and focuses on IT risk and assurance. He joined EY in 2005 in Philadelphia, US, and relocated to Mumbai, India, in June 2007.
He has more than 17 years’ experience in business process and IT risk advisory in India, the US and the Middle East. Nitin is an engineering graduate and has a Master’s degree in management studies. In addition, he is a certified Information Systems Auditor (CISA) and a Certified Information Privacy Professional (CIPP).
Nitin primarily focuses on IT risk and assurance services in the consumer products and life sciences sectors. He has extensive experience in understanding complex information systems, assessing business and IT risks, and formulating control and governance frameworks. His areas of competence include information security, business continuity, application risks and controls, and IT governance.
Inputs from Heena Vazirani
Email: [email protected] Tel: +91 22 6192 1298
24 | The retailer
Security of mobility devices4
Introduction
With the significant growth in the capabilities of mobile devices, and consumers’ adoption of these, these devices have become an integral part of how people accomplish tasks and keep connected, both at work and in their personal lives. Furthermore, adoption of mobile computing has resulted in blurring of organizational boundaries, with IT getting closer to the user. The use of the internet, smartphones and tablets (in combination with “bring-your-own-devices”) has made organizations’ data accessible everywhere and to everyone. Moreover, the advent of the digital age and the growing interconnectivity of people, devices and organizations has opened up a whole new area of vulnerability. Although improvements in hardware and software have enabled complex tasks to be performed on mobile devices, this functionality has also increased the attractiveness of the platform as a target for attackers.
Security-related challenges
Many organizations are concerned about the integrity of data, and increased regulation- and data protection-related requirements have made it imperative for organizations to properly secure data on mobile devices. Today, security-related challenges confront companies around the world as they seek to increase their employees’ productivity or use new applications to appeal to an ever-increasing mobile world. It has become increasingly evident that the benefits and rewards of using mobile devices are sometimes counteracted by fraud and security risks related to them.
Business implications of mobile devices
1. Integration of enterprises
With mounting threats to mobile devices, organizations need to carefully evaluate the potential risks and benefits of adopting mobile platform strategies. Each mobile operating system design is created for a particular target audience — consumer or corporate user. Platforms designed for consumers make functional and security trade-offs to achieve simplicity and usability, while those designed for corporate users present less risks to an organization’s environment when they are integrated due to the secure controls embedded in these devices.
Platforms such as the iPhone and Android were designed and marketed to appeal to consumers with their functional, well-designed interfaces, multimedia functionality and ability
to provide a customizable user experience. They were not originally intended to be secure platforms for the business world. However, as demand for business capabilities increased, these platforms began to integrate corporate functionalities such as emails, VPN connections and security policies. Since these have been built on top of the operating systems rather than integrated at the design level, each new function may introduce new risks and require compensating controls. As these platforms continue to mature, they are expected to reduce the risks associated with the lack of security of mobile devices.
2. Considerations for security of mobile devices
The rapidly expanding mobile device market and its open programming platforms offer corporations significant opportunities to interact with their clients and customers. The rich functionalities offered by these devices support creative innovations that are not possible through a traditional PC. However, size- and computing power-related limitations have forced companies to redesign their internet presence to provide users of mobile devices a browsing experience that is comparable to that experienced while using a PC. However, as developers redesign websites and create mobile applications, they need to consider potential security-related risks and mitigate these.
3. Mobile device-related risks
The ubiquity of mobile devices in the corporate environment has enabled the expansion of the corporate office. However, the risks and potential effect of using and supporting mobile devices as a corporate tool must be understood from a security-related perspective.
25The retailer |
Mobile device application gray box assessments
Mobile device application gray box assessments combine traditional source code reviews (white box testing) with front-end (black box) testing techniques. The application’s codebase should be examined for critical areas of functionality and for symptoms of common poor coding practices. Each of the “hot spots” in the code should be linked to the live instance of the application, whereby manual exploit techniques can verify the existence of security-related vulnerability. The recommended
approach follows this process in reverse order by reviewing the application according to the black box methodology and linking identified vulnerabilities to their cause in the codebase.
A. Threat modeling
Threat modeling allows the testing team to first identify threats that have the greatest potential adverse effect on the application. This phase should be used to prioritize specific components of the application or areas of the code. By using the application architecture documents provided with the application, the testing team should familiarize themselves with its general architecture and usage scenarios.
Collection of information
Documents required to aid understanding of the design and functionality of the application should be obtained by collaborating with the mobile application development team. Details provided in these documents will help in building the foundation for all of the required steps in the threat-modeling process.
Reconnaissance and application mapping
Understanding how a mobile application is intended to function is vital for creating a model of it to which threats can be applied.
During this step, the testing team should manually “crawl” and explore a live demonstration of the application and then explore its anonymous and authenticated portions while focusing on areas that handle sensitive data and functionalities. The architecture, configuration, processes, users and technologies are all documented in this step and leveraged in later steps.
26 | The retailer
The areas to be flagged for targeted for testing during the next phase include:
• Administrative interfaces
• Multipart forms
• Transmission of sensitive information
• Interfaces with external or third-party applications
• Use of mobile protocols such as SMS, MMS and WAP
Every request and response during this stage should be logged for later analysis by using a combination of local proxy tools and network “sniffers.”
Defined system and trust boundaries
During the next step of the review, an assessment team should construct a visual model of the application and its processes in a series of data flow diagrams (DFDs). A DFD will identify the system’s boundaries and the trust boundaries that surround each of its components. Identifying system boundaries gives the testing team a preliminary indication of all the places where data can flow in or out of the system or its components (i.e., data entry and exit points). Later, during the code inspection phase, the testing team should verify that proper validation and encoding techniques are performed at each system boundary. Similarly, identifying trust boundaries will pinpoint areas of the code where the testing team can verify its authentication and authorization.
Mapping threats to functionality
After all the DFD elements are defined, they should be mapped to threats defined in the OWASP Application Security Frame (ASF) threat-categorization methodology to define “hot spots” in the application, so the assessment team can create a customized
test plan based on this. Each of the items in the test plan will be evaluated fully during the targeted code-inspection phase.
B. Identification of vulnerability
The application should be reviewed with an emphasis on the source code of hot spots identified in the previous phase. A black box-style assessment should be performed to identify vulnerabilities at the network or host layer in addition to application-related vulnerabilities that are not readily apparent through a pure source code review. This phase of testing should use automated scans to complement an intensive manual inspection of the application’s components.
Analysis and scanning of code
Automated scanning tools analyze the source code to locate an initial set of security issues. This phase should utilize commercial as well as proprietary tools to scan for symptom code and common programming errors that lead to vulnerabilities. The source code analysis phase should attempt to identify vulnerabilities that affect the application at the host, server and network layers.
Manual analysis
At this step, it is recommended that an intensive manual review of the application code is performed to locate security-related vulnerabilities that are unique to its architecture. We recommend using a combination of the following techniques when reviewing the code:
• Permission analysis: Many platforms require the application to declare the features it will attempt to access during execution. The device then “sandboxes” the
27The retailer |
application to these specific features. Testers can target specific attacks against these features and attempt to bypass restrictions.
• Control flow analysis: This technique is used to go through the logical conditions in the code. Using this method will enable testers to identify common logic flaws, such as failure to handle exceptions and inadequate restrictions on authorization.
• Dataflow analysis: This technique traces data from points of input to points of output. It is especially suitable for identification of common input validation errors such as SQL injection and cross-site scripting.
To apply these techniques, we recommend dividing the application into its various functional components. Each component should be examined for its common insecure programming practices, which can include:
• Authentication — weak password requirements, username enumeration, account lockout, cookie replay attacks and backdoors
• Authorization — privilege escalation, inadequate separation of privileges, disclosure of confidential data and data tampering
• Session management — session trapping or fixation, session timeout, session hijacking, inadequate session termination, session replay and man in the middle
• Configuration management — unauthorized access to administrative interfaces and configuration files, retrieval of clear text configuration data and overly broad privileges assigned to process and service accounts
• Input validation — parameter tampering, buffer overflow, cross-site scripting, SQL injection, XPATH injection, command injection
• Data protection — hard-coded application or user credentials, network traffic sniffing, poor key generation or key management, weak encryption and use of encoding in place of encryption
• Exception handling — information disclosure and denial of service
• Auditing and logging — log forging, and log file manipulation and destruction
• Caching — keystrokes, snapshots, clipboard content and files, which may be cached in different storage locations on a device throughout the lifecycle of a mobile application
• Password vaults — storage of passwords in clear text in a database
• Push notifications — one-way data transmission sent from servers to the application
• Location-based services — attempt to disclose or spoof location data
Review code for architecture security-related issues
This step is especially important if the application uses a custom security mechanism or has features that mitigate known security threats. This final code review pass is used to verify security features that are specific to the application architecture:
• Encryption: Because custom encryption solutions typically are not cryptographically strong, they should be reviewed to verify that they provide adequate protection to sensitive data.
• Protocols: Proprietary protocols for application communication need to be reviewed to determine their resistance to tampering and interception.
28 | The retailer
• Session management: Attempts to create custom session identifiers and session management routines should be reviewed to gauge their protection from session management errors.
• Access restrictions: Use of custom HTTP headers or other custom protocol elements to control access should be reviewed to ascertain that they are protected against unauthorized access.
• Security code: A code, written specifically to address previously identified security issues, should be assessed to ascertain the efficacy of the application.
• Server architecture: External web services and servers used to support the application should be reviewed.
C. Exploitation of vulnerability
This phase of the assessment is a two-part process. First, a custom test plan is developed during the first three phases of the assessment to guide an in-depth analysis of the source code for common insecure programming practices. During the second stage, there is focus on custom security mechanisms within the application. The code is also reviewed for architecture security-related issues. The following are the steps we follow at EY:
Validation of identified issues
Our team analyzes the results from the vulnerability scans, eliminates false positives and creates proof-of-concept examples of exploitable vulnerabilities.
Exploitation of functionality that is unique to the application
A key benefit of the gray box methodology, with its access to the source code and live application, is its ability to exploit vulnerabilities to their furthest potential. At this step, we attempt to exploit authentication- and authorization-related issues that are not apparent in the live instance of the application. These vulnerabilities may enable unintended access to functionality or data that pose a significant risk to a business. We also explore flaws in business logic to control how a user performs actions in the application. These flaws are typically used to defraud user of the application or the company.
Exploitation of link to source code
Since vulnerabilities are verified as exploitable, we link the exploit to the specific sections of the code responsible. This enables developers to quickly understand the issue and assess effort required to remediate the vulnerabilities.
Analysis of risk
We evaluate the vulnerabilities exploited and rate the findings, based on the risks each poses to the company. For each finding, we also assess the potential business impact on the organization if the vulnerability is exploited. This analysis is compounded if multiple vulnerabilities are leveraged to make an enhanced impact.
Provision of customized technical recommendations
After assessing the risk of each exploited vulnerability, we provide detailed recommendations that are specific to the application’s architecture and codebase, including its sample code when applicable. Developers can then use these recommendations to mitigate or remediate vulnerabilities and reduce risks to the application. Our recommendations may also provide secure guidance on coding to address vulnerabilities throughout the application.
Top 10 recommendations for mobile-related security
1. Add mobile-related security to existing employee security awareness programs.
2. Create and implement an IT policy that governs usage of mobiles and ensures employees’ compliance with their companies’ IT policies.
3. Perform threat modeling to identify the risks of moving applications to a mobile platform.
4. Train application developers in secure coding practices for mobile device platforms.
5. Limit quantum of sensitive data transferred to mobile devices or consider view-only access.
6. Utilize Mobile Device Management software to create an encrypted password-protected sandbox for sensitive data and enforce device-side technical policies.
7. Assess technical security of mobile devices and supporting infrastructure and focus on device-side data storage.
8. Establish a program that continually evaluates new and emerging threats on mobile platforms.
9. Increase monitoring controls at mobile device connection points when feasible.
10. Assess classic threats against web-based applications and infrastructure.
29The retailer |
Bring your own device
In the current economic environment, companies are demanding that employees are more productive. They put in place robust mobile programs that allow personal devices to be used safely in a work capacity. This can raise employees’ productivity, be a significant competitive advantage for the organizations and can even result in higher recruiting acceptance rates. An employee IT-ownership model, typically called bring your own device (BYOD), is an attractive option for organizations.
The risk landscape of deployment of a BYOD mobile device is largely dependent on the following factors:
• Organization’s risk profile: In the case of information security-related risks, how an organization defines and treats risk plays a key role in its choosing the type of security controls it will use.
• Current (and future) mobile use cases: Organizations should take into consideration the types of data and functionality that are exposed through deployment of BYOD. For instance, deployment of a retail that allows processing of credit cards on personal devices would require PCI-DSS compliance on the devices, and stronger and more rigorous controls than on non-PCI devices. There can be no “one size fits all” practice.
• Geographic deployment of devices: International deployment increases risk levels, not only because of geographic distribution of devices, but also due to unclear and regionally applicable legislation in certain geographic areas. Those with rigorous privacy-related legislation such as the EU and Brazil affect the legal workload and nature of the security controls that are needed to stay compliant with these regulations.
Considering these factors at an early stage in the BYOD planning process is important for its secure and successful rollout.
30 | The retailer
Steps to secure and improve your BYOD program:
1. Create a strategy for BYOD with a business case and a goal statement.
As technology continues to advance and change the way we live and work, building a smart and flexible mobile strategy will enable companies to explore innovative ways to empower their workforce and drive enhanced productivity.
2. Involve stakeholders early by forming a mobility group.
A cross-business mobility group will help to vet the needs of a business. The group could comprise executives, and HR, legal, support and IT professionals as well as the representatives of key user groups. An effective way of generating powerful usage cases is to model day-in-the-life scenarios that envision how mobility eases the everyday work situations of key employee groups. Demonstrating the success of BYOD programs will help a group to measure the success of its implementation and mold it in the future.
3. Create a support and operations model
Using the scenarios formed by the mobility group, identifying and quantifying costs and benefits will help to build the overall business case for BYOD. Ensure that hidden costs such as increased data-related bills and expansion are considered, together with potential advantages such as increased recruiting success rates with younger demographics.
4. Analyze the risk
By leveraging usage cases, you should assess the data stored and processed in the devices, as well as access granted to corporate resources and apps for the devices. Paying special attention to scenarios that are likely for mobile devices, such as a lost or stolen device, will help to focus the effort. Incorporate geographically relevant data and privacy laws, and consider the impact of the mobile workforce traveling to countries with data import/export restrictions.
5. Create a BYOD policy
Creating a flexible but enforceable policy is key to ensuring that it effectively limits risk to the organization. A BYOD policy should complement your other information security and governance policies, and include:
a. General security requirements for mobile devices
b. Authentication (passcode/PIN) requirements
c. Storage/Transmission encryption requirements
d. Requirement to automatically “wipe” devices after a number of failed login attempts
e. Usage restrictions for mobile devices
f. Company’s liability
g. Rights to monitor, manage and wipe
h. Support model
i. Leading practices for mobile data usage during international travel
j. Acceptable use (if different from normal acceptable use policy)
31The retailer |
6. Secure devices and apps
Implementing an MDM solution or other container-focused management utilities will greatly help an organization manage and secure its devices. Policies on the devices or within managed containers should be defined through risk assessment.
7. Test and verify security of implementation
Perform security testing and review of an implemented solution. Assessments should be conducted by using an integrated testing approach, which combines automated tools and manual penetration testing, and preferably uses a trusted third party with a proven track record of assessing mobile deployment. We also recommend assessing the implementation as a whole and testing of devices, apps and management solutions together. In addition, it is important to test infrastructural changes to enable mobile devices to connect to an enterprise network such as deployment of Wi-Fi or VPN endpoints.
8. Measure success, ROI and roll-forward lessons learned
Measure key performance indicators of your BYOD program and use this to continually improve it. Use direct user feedback extensively to identify areas that need improvement.
How to secure your employees’ devices
1. Evaluate device-usage scenarios and investigate leading practices to mitigate each one.
2. Invest in a mobile device management (MDM) solution to enforce policies, and monitor usage and access.
3. Enforce industry standard security policies, whole-device encryption, PIN code, failed login attempt actions, remote wiping, etc.
4. Set a security baseline to certify hardware/operating systems for use by enterprises using this baseline.
5. Differentiate access to trusted and untrusted devices and layer infrastructure accordingly.
6. Introduce more stringent authentication and access controls for critical business apps.
7. Add mobile device-related risk to your awareness program.
Going forward
As mobile technology companies continue to innovate over the coming years, organizations using these technologies will need to continuously assess the security-related implications of adopting these. A consistent and agile multi-perspective mobile security risk assessment methodology will enable evaluation of the risk exposure in these systems. We believe that it is this teaming between technical testers and business owners that will continue to be the most effective method of evaluating the security of established and emerging technologies.
Rushit Choksey Senior Manager
Rushit is a Senior Manager in the Advisory Services practice, focusing on IT Risk and Assurance areas. He joined Ernst & Young in 2005 and is based out of the Mumbai office
in India.
Rushit has completed his B.E. (2002) in Computer Science and M.B.A (2005) with Systems as his specialization. He holds the following certification: CISA, CISM, CGEIT, CIPP, Diploma in Cyber Law, Foundation Certification in IT-Service Management, ISO 27001 lead implementer. He has led multiple projects on Information Security Management, ISO 27001 assessment and advisory, Information Risk Management, Risk and Assurance frameworks, Information protection and data privacy advisory, IT Governance, GRC automation, ITIL and ISO 20000 advisory service, Business Continuity and Disaster Recovery Planning, IT general controls (ITGC) review.
He has worked extensively in the FMCG, Manufacturing, Pharmaceuticals, Services, Government, Technology, Chemicals, Oil & Gas, Hospitality, Infrastructure, and BFSI sector.
Inputs from Nitin Mehta
Email: [email protected] Tel: +91 22 6192 1678
Reference:
Mobile device security — Understanding vulnerabilities and managing risks (Insights on governance, risk and compliance); Bring your own device — Security and risk considerations for your mobile device program (Insights on governance, risk and compliance);
32 | The retailer
WalmartLabs — turning store giant into e-Commerce player
WalmartLabs, the wing of Walmart developing its e-Commerce initiatives, has created Shopycat, a gift-recommendation app that Walmart.com launched on Facebook in 2011. Shopycat scans friends’ profiles on Facebook to identify interesting gift ideas from “likes, comments and status” updates. It then looks for appropriate presents for such “stoners/thinkers” from Walmart’s product database. According to Walmart, Shopycat led to an increase in purchases on the site.
Another retail application of WalmartLabs’s core technology has been the use of “spikes” in social network chatter to predict the demand for unusual products. Last year, the team correctly anticipated heightened customer interest in cake-pop-makers, based on conversations on Facebook and Twitter. The team sent the data to Walmart’s customers, who are using this to confirm its other research. As these signals become stronger, executives are of the opinion that this will play an increased role in purchasing decisions.
WalmartLabs has also implemented projects that just got customers to think differently about Walmart and e-Commerce, including about “Get on the Shelf,” an online contest for people to submit their inventions for sale at Walmart.
Then there is Goodies, a subscription service in which Walmart customers pay $7 a month for home delivery of a gourmet food box, thereby creating a discerning test market for grocers.
(http://www.fastcompany.com/3002948/walmarts-evolution-big-box-giant-e-commerce-innovator accessed 17 October 2014)
Innovation Board: e-Commerce5
1 2 Amazon’s “Add to cart” through social media
Amazon, the global leader in e-Commerce, consistently garners a significant share of users’ loyalty and expenditure. Its innovations, from “one-click” purchases and “Amazon Prime” to “Amazon Cart” keep this innovation machine ahead of its competitors.
Amazon Cart is firmly grounded in the realm of social commerce. Amazon now allows users to add items to their Amazon shopping list by simply replying to any Amazon product tweet and tagging it with the “#AmazonCart” hashtag. Such products are automatically added to the users’ carts. The next time they log into Amazon, they do not need to waste their time hunting for the products that caught their eye on Twitter.
This feature works by linking users’ Amazon accounts to their Twitter accounts and then proceeding with backend fulfilment. This feature, launched in early May 2014 by Amazon, has attracted significant interest with more than 157,000 tweets with “#AmazonCart” sent in less than two weeks.
(http://www.entrepreneur.com/article/237014 accessed 17 October 2014)
3 Order online, receive offline
Shipping costs are among the toughest aspects of online shopping. According to research conducted by ComScore, nearly 61% of online shoppers “are at least somewhat likely’’ to cancel their online orders if free shipping is not offered.
A sound alternative is to eliminate shipping entirely. With exactly 50% of the top 10 retailers in the US having a brick-and-mortar presence, a “ship-to-store” model is an increasingly popular option that allows users to browse and pay for products from the convenience of their homes, then collect these the same day (no waiting time for shipping!) from their nearest stores. Walmart.com, Bestbuy.com and other “brick and click” e-Commerce brands offer this option to users.
Nordstrom pioneered this idea in 2008 and has seen an 8% growth in its in-store sales and a 42% growth in its revenues.
(http://www.entrepreneur.com/article/237014 accessed 17 October 2014)
33The retailer |
4 e-Commerce websites offering content for driving sales
Most e-Commerce retailers take the beaten path by displaying their products on their websites, exactly as they would in a real store. The trouble is that the way users behave online is very different from their behavior while shopping in actual stores.
For one thing, they do not have the option of reading product reviews while shopping in a brick-and-mortar store. Nor can they hop from one store to another simultaneously like online shoppers, switching from one browser tab to another to compare products, their variations and their prices.
e-Commerce sites such as Net-a-porter and Joyus have caught on to this fundamental difference and offer a completely different online shopping experience to users. Both the sites have a content-driven approach to e-Commerce. Instead of creating marketing content and promoting it on third-party sites, they offer attractive and useful content on their own websites to which users are drawn automatically.
Net-a-porter has a magazine to display its products. It also has videos and how-to guides to cater to more interactive tastes. It sells its products by recommending products’ “looks,” which it feels will suit different types of users, instead of just providing prices, specifications and delivery details like most other e-Commerce sites.
Today, Net-a-porter is one of the largest luxury fashion retailers online in terms of its sales with operations across three continents and more than 3,000 employees.
(http://www.entrepreneur.com/article/237014 accessed 17 Oct 2014)
Buying patterns are different and margins wafer thin in e-Commerce, compared to retail sales. Consequently, companies cannot afford to give away money or points.
According to the e-Commerce giant, Flipkart, its first annual subscription service will offer customers unlimited access to its “in-a-day guaranteed delivery” and “free standard delivery” options with no minimum purchase price, and same-day guarantee delivery at a discounted price and a bonus 60-day replacement guarantee instead of the usual 30-day period. Flipkart’s margins in this plan, which costs INR 500 a year for buyers, is perhaps marginal, but there are other reasons why they have started this program:
Customer-erelated data: Obtain deeper customer data than is possible from a normal registered user. Furthermore, many users simply check out as guests without bothering to register. This program brings even such users into the loop and providing insights into their buying behavior.
Loyalty helps: With brand loyalties in Indian e-Commerce being in a constant state of flux (according to surveys conducted on users), an iota of loyalty can get a user back to the site to make purchases, earn brownie points
Same day delivery: By all accounts, same day delivery volumes have not reached a critical volume by city, and consequently, they cost a lot more than the INR140 charged for the service. That means that e-Commerce sites are making losses on such transactions. If such buyers are brought under this scheme, these losses can be controlled to some degree
Prevent “Sticker Shock”: Various studies indicate that abandonment of shopping carts have been on the rise, and one of the major reasons for this is what is known as sticker shock due to users being shocked when they see the final prices in their carts after adding taxes, shipping charges and other costs. Therefore, when shipping charges are not shown in a cart, it gives a feel-good feeling to buyers.
(http://yourstory.com/2014/06/flipkart-first-innovation accessed 17 Oct 2014)
5 Flipkart’s loyalty program
For more information, visit www.ey.com/in
Connect with us
Assurance, Tax, Transactions, Advisory A comprehensive range of high-quality services to help you navigate your next phase of growth
Read more at ey.com/IN/en/Services
Our services
Centers of excellence for key sectors Our sector practices help ensure our work with you is tuned in to the realities of your industry
Read about our sector knowledge at ey.com/IN/en/Industries
Sector focus
Easy access to our knowledge publications, any time
http://webcast.ey.com/thoughtcenter/
Webcasts and podcasts
www.ey.com/subscription-form
Follow us @EY_India Join the business network from EY
Stay connected
Our offices
Ahmedabad2nd floor, Shivalik Ishaan Near C.N. VidhyalayaAmbawadiAhmedabad - 380 015Tel: + 91 79 6608 3800Fax: + 91 79 6608 3900
Bengaluru12th & 13th floor“UB City”, Canberra BlockNo.24 Vittal Mallya RoadBengaluru - 560 001Tel: + 91 80 4027 5000 + 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th floor)Fax: + 91 80 2224 0695 (13th floor)
1st Floor, Prestige Emerald No. 4, Madras Bank RoadLavelle Road JunctionBengaluru - 560 001Tel: + 91 80 6727 5000 Fax: + 91 80 2222 4112
Chandigarh1st Floor, SCO: 166-167Sector 9-C, Madhya MargChandigarh - 160 009 Tel: + 91 172 671 7800Fax: + 91 172 671 7888
ChennaiTidel Park, 6th & 7th Floor A Block (Module 601,701-702)No.4, Rajiv Gandhi Salai, Taramani Chennai - 600113Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120
HyderabadOval Office, 18, iLabs CentreHitech City, MadhapurHyderabad - 500081Tel: + 91 40 6736 2000Fax: + 91 40 6736 2200
Kochi9th Floor, ABAD NucleusNH-49, Maradu POKochi - 682304Tel: + 91 484 304 4000 Fax: + 91 484 270 5393
Kolkata22 Camac Street3rd floor, Block ‘C’Kolkata - 700 016Tel: + 91 33 6615 3400Fax: + 91 33 2281 7750
Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (W), Mumbai - 400028Tel: + 91 022 6192 0000Fax: + 91 022 6192 1000
5th Floor, Block B-2Nirlon Knowledge ParkOff. Western Express HighwayGoregaon (E)Mumbai - 400 063Tel: + 91 22 6192 0000Fax: + 91 22 6192 3000
NCRGolf View Corporate Tower BNear DLF Golf CourseSector 42Gurgaon - 122002Tel: + 91 124 464 4000Fax: + 91 124 464 4050
6th floor, HT House18-20 Kasturba Gandhi Marg New Delhi - 110 001Tel: + 91 11 4363 3000 Fax: + 91 11 4363 3200
4th & 5th Floor, Plot No 2B, Tower 2, Sector 126, NOIDA 201 304 Gautam Budh Nagar, U.P. IndiaTel: + 91 120 671 7000 Fax: + 91 120 671 7171
PuneC-401, 4th floor Panchshil Tech ParkYerwada (Near Don Bosco School)Pune - 411 006Tel: + 91 20 6603 6000Fax: + 91 20 6601 5900
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.
Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016
© 2014 Ernst & Young LLP. Published in India. All Rights Reserved.
EYIN1412-139 ED None
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
AGK
Ernst & Young LLPEY | Assurance | Tax | Transactions | Advisory
EY refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Global Limited
