GST – Government Service Tax or Getting Security Toughened
With so much focus on GST-readying businesses in 2015, not much attention is paid towards protecting data. But as more small- to medium- sized businesses turn to accounting software that enforces the government service taxation (GST) method, they are actually opening up more access and opportunity to hackers to infiltrate their IT environments and cause damage.
According to Barracuda Networks’ regional manager Thiban Darmalingam, SMEs use to work in siloes, with data confined in specific areas. “With implementation of GST, this has changed the whole paradigm of how businesses do their sales operations.”
This gives rise to a new kind of fear: how securely does your local retailer and ‘mamak’ shop protect your transactional information, now that their businesses are ‘computerised’, so to speak.
Retail technologies used in Malaysia’s GST implementation
The use of technology for Malaysia’s April 2015 GST implementation, is almost a no-brainer. The oft-used traditional method of Excel sheets instead, would be an arduous and time-consuming endeavour for businesses implementing GST the first time.
For example, there is the categorisation of all the various goods and services according to how they should be taxed. An accounting software is required for this, which is connected to a GST-compliant point-of-sale terminal, which is also connected to the Royal Malaysian Customs Department (RMCD).
There is also an increasing number of accounting software that is not run on-premise, but are offered as a cloud service.
Filing for tax refunds also requires retailers to generate GST audit files (GAF), which has to be electronically transferred to RMCD, and also be archived and retrievable in a safe and secure manner.
In short, the whole process becomes automatic, cheaper and more convenient.
On the other side of the coin…
The whole process at first glance, is effective, efficient and very productive, but it also creates more attack surfaces for cybercriminals, especially if security is just an afterthought.
The threat increases many times more especially for small- to medium- sized businesses that face restraints in terms of finances and IT skills.
According to Barracuda’s Senior Product Marketing Manager for Security, Sun Ruoting, there are more people with GST implementations, exposed to threats today.
“What’s at stake when a business’ IT is handled by people who are not necessarily IT-savvy?” he posed the theoretical question.
Definitely a lot is at stake, not least of which is sensitive financial information, and also customer information.
Barracuda’s Senior Product Marketing Manager for Data Protection, Tony Liau shared, “Research has shown that regardless of the company size, only six-percent survive when data loss happens. “
Data governance – who owns the data?
Before one begins to ask, ‘What can I do to protect my information?’ the more pertinent question to ask first may have to be, ‘Who owns the responsibility of protecting the information?’
Sun said, “The more you open up to the Web, the more you launch Web servers into public cloud infrastructures. The more you move into a more elastic model of consuming IT, the biggest problem becomes that retailers are not certain who is in control of their own data.”
Over 15 years ago, IT was simpler because most of the backend servers that retailers used, were behind a network perimeter.
Sun explained, “Today, networks talk to other networks, users leave the premises, there are different connectivity technologies, and there is less control. So, who owns the data? The service provider or the retailer?”
Logic dictates the party aka. retailer that acquired the customer data and generated their own business data, has the responsibility of protecting it. But if a hacker wants to get their hands on millions of customer records for example, they would go to the software-as-a-service provider, and breach their IT environment.
Is there a solution available that addresses all the potential security vulnerabilities, no matter how services are delivered to end users, be it from on-premise, the cloud or a combination of the two?
There are also more nodes (devices) which you can use to access sensitive customer data, thanks to current trends like mobility and bring your own device (BYOD).
According to Sun, the majority of attacks to access customer data uses more than one vector. They also have longer incubation periods, remaining hidden for the whole time, as they quietly steal information.
“As there are more points of connections for information to get out and threats to come in, think about ways to secure the ways attacks get into the network, rather than about the attack itself,” said Sun.
Another way to think about it, is that you don’t want a burglar to be in your house, in the first place.
The problem is that most attacks are polymorphic these days. This renders traditional security quite useless against them. The same goes for multi-vector attacks that has rendered all option of traditional security solutions, inert.
Sun said, “They are just too siloed.”
The integration imperative
What does this mean for smaller organisations?
“SMEs do not have the resources to spend on all the different solutions for all the different threat vectors. So, there is all these apps and usage in the organisation to worry about, and now there is also GST software to worry about,” Sun pointed out.
Liau shared, “How Barracuda approaches this problem and all of what we have done is to have a singular platform team that works across all products so that they will always understand what’s happening, from backup products to storage products to security products.”
“We want to be that one stop IT shop where you can have option of how to deploy security and grow as your network grows, with a level of relationship and support,” Sun concluded.