Retailers are “overconfident” about their security, majority have fundamental gaps

This just in, right in time for the holiday shopping daze: many UK retailers’ heads are comfortably buried in the sand when it comes to their cyber security and data protection capabilities, thinking that in spite of not having basic protection and no contingency plans for data breaches, something – maybe magic? – will somehow protect them from malicious cyber attack.

In fact, the vast majority – 72% – of 250 UK retail IT decision makers surveyed for the 2014 Retail Security Barometer report, which was conducted by Opinium for Sophos, have failed to implement fundamental security required to safeguard both business and customer data.

It’s not that retailers aren’t aware of the increasing risks, and it’s not as though retailers don’t know how a breach could affect both consumers and their own brand.

One of many recent examples, this one from across the pond, is US retailer Home Depot, which at the end of last month was facing 44 civil lawsuits across the US and Canada following a huge data breach in September that left 56 million credit cards and 53 million email addresses exposed.

In spite of examples like that, retailers are failing to do things such as properly train sales staff to help stop credit card fraud or the theft of sensitive customer information, such as bank details and email addresses, the study found.

In fact, 34% of retailers have no training in place for point-of-sale staff to recognise credit card fraud.

It’s not as if UK retailers haven’t already fallen victim to cyber crime, the study shows. 33% said that they’d been hit with credit card fraud – 14% of them saying it happened in the past year.

As well, many – 36% of retailers – expect credit card fraud will only get worse, increasing in the lead-up to Christmas.

In spite of that grim outlook, more than a third – 37% – said that they’ve taken no extra steps to secure customer data. What’s more, many might as well be deer frozen in the headlights for all they’ve done to plan for customer credit card fraud, given that 36% don’t have a plan in place to deal with the possibility.

James Lyne, Sophos’s Global Head of Research, says that the holidays are not the best time to be slow on security, given that cyber crooks prioritize the dismantling of retailers’ defenses:

We’re now in the midst of the busiest time of the year for the retailers, so shops must ensure they have appropriate measures in place to prevent cyber crime. As recent data breaches show, it is critical that retailers protect customer data both from exposure in the public domain and from being quietly used in the background. Cyber criminals have clearly demonstrated systematic compromise of such organisations. It is clear that they are high on their priority list.

Another 12% of retail businesses have experienced malicious tinkering with their systems in the last five years, with 21% lacking confidence that their security is up to the job of protecting themselves and their customers from a social media compromise.

That means that 79% of retailers are feeling pretty good about their ability to fend off social media account hijackers, for example.

Let’s hope that’s not misplaced confidence.

As it is, the research reveals significant overconfidence in the retail sector, also known as the Ostrich Effect*, with 87% of UK retailers confident that they have adequate security in place to protect customer data, and 86% confident that they can protect their general networks from malicious malware used by intruders to steal business and customer data.

What undercuts that confidence is that the majority of retailers acknowledge that they rely primarily on barebones protection such as firewalls (77%) and anti-virus (33%).

Relying on perimeter protection such as firewalls can be compared with closing the door of your house while leaving your windows open.

And even those that rely on securing the perimeter don’t defend their networks in depth, with only 31% indicating they have network protection beyond a firewall and only 2% having comprehensive unified threat management capability in place.

Here are some other report findings that should poke holes in retailers’ confidence:

• 72% of UK retailers admit they haven’t implemented basic encryption security to safeguard business and consumer data.
• 14% admit to not having the expertise necessary to implement basic cyber security measures.
• 40% acknowledge they don’t know why they haven’t implemented basic cyber security measures.
• Only 67% of those who’ve fallen victim to cyber crime in the past have plans in place to further secure their IT systems.
• Even fewer – 48% – of those who haven’t previously been compromised have plans in place to enhance the security of their IT systems.

Beyond the fact that the majority – 72% – of surveyed UK retailers admit to not having basic cyber security capabilities, half of them also lack contingency plans in place to deal with a data breach if they do fall victim to attack, even though their brands would be dragged through the mud:

• 48% admitted to having no process in place to inform customers should their data be stolen.
• 34% stated potential impact on business brand reputation in the event of a data breach is a key driver for investing in IT security measurements.
• 59% of retailers are not very concerned that the risk of credit card fraud will increase in the lead up to Christmas.

The research found that email addresses were the most common form of data to be stolen from UK retailers, followed by credit card details.

The specific findings:

• 23% of victimised UK retailers identified email addresses as the most common form of data to be stolen.
• 10% that suffered data breaches admitted to losing customer bank/credit card details.
• 16% lack a plan in the event of customer credit card fraud.
• Overall, 34% lack training for point-of-sale staff to recognise credit card fraud, but it’s better in London, where 56% of retailers in London offer practical, on-the-job training.

Sophos has suggested a few basic steps that retailers can take to drastically improve their security when it comes to the top threats. You can also find out more about how Sophos protects retail businesses here.

Happy holidays, retailers and shoppers alike – hope you all make it through with minimal or no bedevilment from fraudster elves!

*My apologies to ostriches: we know they don’t really bury their heads in the sand, but it’s funner to say that than “selective attention to information.“

Image of checkout courtesy of Shutterstock.