With more than 174 million Americans shopping over the Thanksgiving holiday weekend, it’s looking to be a busy holiday season for retailers this year. As shoppers continue hunting for the perfect gift over the next couple weeks, it’s important to remember that cyber criminals will likely be on the hunt as well. How prepared are retailers to deal with an attack? In an effort to answer that question, Tripwire surveyed IT security professionals working in retail organizations about their experiences and attitudes towards factors affecting IT security. The results found that a large majority are not fully prepared for data breaches this holiday season. Of the respondents, only 28 percent of respondents said they have a fully tested plan in place in the event of a security breach. Twenty-one percent said their organization doesn't have a plan at all, and the same proportion of respondents said they didn't have the means to notify customers of a data breach within 72 hours, a requirement specified by the General Data Protection Regulation (GDPR). “Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” said Tim Erlin, vice president of product management and strategy at Tripwire. “It’s encouraging that most respondents think they can meet the 72-hour notification window as set out in the upcoming GDPR, but if they haven’t tested their plans, I don’t know how confident they should be in that assumption.” Only a small minority of the retail industry felt fully secure in their incident response capabilities. Twenty-three percent of respondents said they were "fully prepared" to absorb potential financial penalties. Even fewer professionals (15 percent) said they were fully prepared to manage customer and press communications following an incident. Not all the survey's findings were discouraging, however. The results did provide some hope that the industry is moving in the right direction. More than half of respondents (57 percent) said that their organization’s ability to detect and respond to a security breach has improved in the past year and a half. With the holiday season in full swing, organizations should make sure they have proper security safeguards in place. “It’s really critical that organizations have a good view of what’s on their network at all times, that they harden their systems with secure configuration and vulnerability management, and that they are able to continuously monitor for change and are alerted to any drift outside the established security and compliance policies,” said Erlin. There are a number of effective and established security control frameworks available to guide organizations, such as the CIS Critical Security Controls. Implementing even the most basic security controls can go a long way in improving an organization’s security posture.
This study was commissioned by Tripwire and carried out by Dimensional Research in November 2017. A total of 103 qualified participants from the retail industry completed the survey. All participants had responsibility for IT security as a significant part of their job and worked at companies with more than 100 employees.