By the end of the decade, eCommerce sales in Australia are expected to reach AU$110 billion, or 20% of total retail sales. Nine in ten retailers across Australia and New Zealand are actively investing in Generative AI (GenAI) to capitalise on this opportunity, meet the needs of their digital customers, and automate once-manual processes.
Retailers are forging ahead, and billions are going into developing and building GenAI models – but not enough focus is being given to a new era of security threats.
The eCommerce industry has long been a lucrative target for cybercriminal activity due to the number of shoppers interacting and sharing data on retail websites, high transaction volumes, and the growing network connections that make up its supply chain. However, as retailers continue to reap the benefits of innovative GenAI applications, their attack surface will only expand, along with the threat of malicious activity.
GenAI powering the rise of the bad bot
Just over 82% of all retail internet traffic in Australia is generated by humans, while 18% is automated traffic – most of which (15%) is made up of bad bots.
Australia is the world’s third most attacked country by bad bots – software applications that run automated tasks on the internet with malicious intent – sadly, GenAI is making them increasingly accessible, sophisticated, and dangerous. The advancement of GenAI is one of the reasons automated traffic has increased over the past year, as it uses web scrapers and crawlers to collect data to train AI models.
Cyber criminals continue to leverage GenAI tools to help evade security controls, identify vulnerabilities, and make malicious automated application request traffic appear more convincingly human. To combat this, eCommerce sites will require smarter security solutions to help distinguish automated bot-based requests from legitimate customers.
As technologies become more advanced and mainstream, retailers must understand both the benefits and risks of GenAI. Protecting their data and all access points is essential to ensure a secure experience for their customers.
Spotlight on third- and fourth-party suppliers
The Australian privacy commissioner has warned that third-party suppliers are “a real weak spot” for protecting customer privacy. Just as cybercriminals use GenAI to evade retailers’ traditional security protocols, suppliers and their networks face the same threat. However, the associated risks skyrocket when retailers share sensitive information with multiple partners to streamline processes and expand their reach. This practice exposes sensitive data to more potential points of vulnerability across various industries and geographies.
In the AI era, sharing proprietary data or code with third-party solutions, such as a generative AI chat platform, should also be considered a security risk for any organisation. AI tools have not been forthcoming about how data is stored or secured in their platforms, raising a red flag for internal security and compliance teams.
Retailers have a moral responsibility to protect their customer’s data and ensure every supplier they engage with across the entire ecosystem has taken sufficient security measures.
More unsecured data on the move
The growth and success of a retail business today rely as much on good data security as on safeguarding its cash flow.
In the connected retail landscape, the numerous channels data travels through and pace at which it spreads are unprecedented. Whether it is data collected from customers, created by the company itself, or shared with third parties across the retail ecosystem, it has become almost impossible to track where data sits, where it comes from, and where it travels to.
The growing prevalence of GenAI models exacerbates this challenge by requiring huge volumes of data, including proprietary and sensitive information. In Voice of the Enterprise: AI & Machine Learning, Infrastructure 2023 study, one in seven respondent enterprises will use at least 250 petabytes of data to build and train AI/ML models. More and more CISOs are expressing their security concerns when implementing GenAI, including how employees handle confidential information, who has access, and the increased risk of unintentionally opening the organisation up to attacks.
Thales’ 2024 Data Threat report shows that despite 56% of Australian businesses ranking data-in-transit encryption as the most effective protection for sensitive data, only 13% of those surveyed are actively investing in it. Many organisations prioritise defending user access, connected devices, software, and networks against malicious intent as the most effective way to prevent data incidents. However, organisations that rely solely on securing their entire digital environment—without enforcing confidentiality and integrity on the data itself—remain at risk.
Four steps to increase security in the GenAI age
- Identify every stakeholder in your data ecosystem and supply chain –retailers are relying on more partners, external databases, and tools than ever before, spreading security risks outside of the organisation’s walls. Identifying which third and fourth-party partners are part of your supply chain and creating an exhaustive list of all tools and databases used is a first step toward securing the entire retail ecosystem.
2. Set up a comprehensive data control strategy – ensure only authorised people or processes – within or outside the organisation- can access specific data sets. Correctly enforced, this will not only prevent sensitive data from being stolen or accidentally disclosed, but it will also prevent data from being tampered with.
3. Secure data in motion – It takes only one material error in the security environment or a small human oversight to open the door to a skilled attacker. The only thing you can control ultimately is your data, not what is done with it while it is outside of your walls, meaning that securing the data itself is the only way to truly guarantee its safety and privacy, no matter where it travels to.
4. Encryption – can ensure sensitive information is not visible to unauthorised users or processes within or outside the organisation. If the data is inherently hidden, it can be easily moved, replicated, or backed up without the risk of disclosure – deliberate or accidental.
Retailers caught up in the GenAI hype can leave themselves vulnerable by over-relying on or over-trusting AI systems. By effectively securing their eCommerce environment and data, retailers will build consumer trust in a growing AI-driven industry and limit the impact of evolving malicious attacks.
Reinhart Hansen is director of technology at Imperva, a Thales company.