Despite this, 87% of retailers believe that they had adequate security in place to protect customer data. This complacency can probably be explained with the finding that 86% of retailers believe their site’s security measures were sufficient to protect their general network from the malware hackers use to steal business and customer data.
The majority of the retailers admitted to primarily relying on very basic levels of protection, however, such as firewalls (77%) and anti-virus (33%), meaning they often lacked the necessary encryption tools to safeguard both business and customer data. Only 31% said they had network protection beyond a firewall, and only 2% had a comprehensive unified threat management capability in place.
The survey also reveals more worrying findings:
Lack of knowledge and expertise
- 14% of UK retailers admit to not having the expertise necessary to implement basic cyber security measures.
- 40% of UK retailers acknowledge they don’t know why they haven’t implemented basic cyber security measures.
- Only 67% of those who have fallen victim in the past have plans in place to further secure their IT system in the future.
- 48% of those who haven’t previously been compromised have plans in place to enhance the security of their IT systems.
No contingency plans
- 48% admitted to having no process in place to inform customers should their data be stolen.
- 34% stated that potential impact on business brand reputation in the event of a data breach is a key driver for investing in IT security measurements.
- 59% of retailers are not very concerned that the risk of credit card fraud will increase in the lead up to Christmas.
- 16% of UK retailers do not have a plan in place in the event of customer credit card fraud taking place.
Email addresses and credit card details – most popular form of cyber theft
- 23% of UK retailers that have been victims of data breaches in the past identified email addresses as the most common form of data to be stolen.
- 10% of UK retailers that have been victims of data breaches in the past admitted to losing customer bank/credit card details.
Lack of staff training
- 34% of retailers did not have training in place to teach staff how to recognise credit card fraud.
- 56% of retailers in London did have practical on the job training for point-of-sale staff in recognising credit card fraud.
- Only 35% of retailers in the North provide practical on-the-job training for point-of-sale staff in recognising credit card fraud.
Online retailers – popular targets with cyber criminals
The Web Application Attack Report (WAAR) found that 48.1% of all attack campaigns targeted retail websites. Websites containing some form of consumer information suffered up to 59% of the attacks. Based on a time period of nine months, from 1 August 2013 to 30 April 2014, the results revealed that 40% of all SQL injection attacks and 64% of all malicious HTTP traffic campaigns target retail websites.
Looking at them together, the findings of the WAAR and Sophos reports paint a gloomy picture. Despite retailers being a popular target for cyber criminals, they don’t have the necessary cyber security measures in place to protect their customers’ data. This is particularly worrying in the context of the festive season, during which consumer spending and online sales traditionally pick up.
James Lyne, Sophos’ global head of research, said in a press release:
“We’re now in the midst of the busiest time of the year for the retailers, so shops must ensure they have appropriate measures in place to prevent cyber crime. As recent data breaches show, it is critical that retailers protect customer data both from exposure in the public domain and from being quietly used in the background. Cyber criminals have clearly demonstrated systematic compromise of such organisations, it is clear that they are high on their priority list.”
Improving the cyber security of retail organisations
The Payment Card Industry Data Security Standard (PCI DSS) version 3 with which all merchants and service providers are required to comply as of 1 January 2015, stipulates that compliance monitoring should be an ongoing project.
Implementing the requirements of PCI DSS v3 will ensure that retailers have a minimum level of cyber security and that their customers’ data is protected.
Here are a few major areas to focus on in order to help you address the issues pointed out in the Sophos 2014 Retail Security Barometer:
Reduce the cardholder data environment
For further guidance on how to achieve this, download the free green paper: PCI DSS: Reducing the cardholder data environment.
Ensure you nurture PCI skills internally
Attending a PCI DSS v3 SAQ Workshop will help you complete the new PCI DSS v3 self-assessment questionnaires (SAQs). The PCI DSS Lead Implementer Training Course, meanwhile, will ensure you develop the practical skills required to comply with the Standard.
Educate your employees
Web-based PCI DSS e-learning can help to increase employees’ awareness of the requirements of the PCI DSS, and to provide clear and simple explanations of what companies and individual employees must do to meet the requirements of the current version (v3.0) of the Standard.
Appoint a PCI QSA company
Rather than ignoring the problems or handling them incorrectly, it’s better to seek professional help – after all, your company’s security is at stake. Therefore, look to appoint a PCI QSA company you trust that is able to provide ongoing support as and when you need it.