Thales eSecurity Blog

Wake Up and Smell the (Retail IT Security) Coffee

Tina Stewart
Tina Stewart | VP of Market Strategy More About This Author >

top external threats for retailRetail – the industry that started it all. Or at least when it comes to the general public’s understanding of cybersecurity. Early breaches at major retailers like Target and Home Depot were among the first to raise awareness the threat of data breaches. It’s been nearly 2 years since this initial wave of highly-publicized retail breaches, but what is the current state of IT security for organizations in this sector? We decided to ask.

Yesterday, we released the results of the Retail Edition of the 2016 Vormetric Data Threat Report (DTR), detailing IT security spending plans, perceptions of threats to data, rates of data breach failures and data security stances of retail organizations.

Click To Tweet: Retail IT Security’s biggest nightmare?  No surprise – Cyber Criminals @socialtis bit.ly/23cB9Zc

Overall, the report found that a whopping 89% of retail IT security professionals feel vulnerable to data threats. But with the looming threat of cyberattack, how is IT security spending being impacted? And what motivates retailers to spend money on security programs in the first place? Let’s dive right in.

Cybersecurity spending: Where is the limited budget going?

As reported by The New York Post, at least half a dozen of the largest retailers in the U.S. – such as Macy’s, Nordstrom and JCPenney – experienced disappointing results in the first quarter of 2016, ultimately leading to sharp decreases in investor shares. With these stark decreases in profits, one begins to wonder how retail organizations will prioritize and allocate the cybersecurity budget they do have.

According to our report, 55% of retail organizations plan to increase spending on network defenses. The next highest planned increase in spending (48%) was for endpoint and mobile device defenses. And while traditional endpoint, network and perimeter IT security solutions can reduce an organization’s risk of data breaches, they are not completely effective against hackers – it’s no longer a question of if you’ll be breached, but when. When attackers have bypassed perimeter defenses, data-at-rest security controls will be the final layer of defense in protecting an organization’s sensitive data from compromise.

We all have our priorities… what about retail IT?

Our report also dove into the top data protection drivers for retail IT security professionals. According to the survey findings, their highest priorities for IT security spending were as follows:

  • Reputation and brand protection – 55%
  • Compliance – 49%
  • Best practices – 37%
  • Executive directive – 35%
  • Preventing data breaches – 31%

That’s right – reputation and brand protection are the top priority for retail IT security spending. And while protecting a brand’s reputation is obviously extremely important from a business perspective, the finding is directly at odds with the lowest listed priority: preventing data breaches. When a data breach happens, you can bet your bottom dollar that brand damage and even loss of customer loyalty will be sure to follow.

We also found that compliance was a top driver of IT security spending in retail, coming in second at 49%. This is understandable, given that organizations operating within a regulated industry won’t be able to stay in business without remaining compliant. However, the cold hard truth is that compliance is not enough.

Though a good starting point, compliance regulations are updated over many months and years, as opposed to cyberattacks, which continue to evolve by the minute. This leaves organizations to use compliance-mandated protection methods that may already have been eclipsed by the attackers. For more on fighting today’s battles with yesterday’s rules, I recommend reading this blog post by my boss, Alan Kessler.

A step in the right direction

Thankfully, there’s a glimmer of light at the end of the tunnel. A small pot of gold if you reach the end of the retail IT security rainbow. A number of positive results of the report indicate that retail organizations are taking steps in the right direction to recognize and deal with the problems surrounding their use of sensitive information. We found that 61% of retail organizations are increasing spending to protect sensitive data. In addition, 44% plan to invest in data-at-rest defenses this year.

In today’s digital world, data is the crown jewel. Whether credit card information or healthcare records, it all comes down to protecting your sensitive data from cyberattacks. The time has come for retailers to embrace a data-centric mindset and thereby change their approach to how data is protected.

To learn more about what Vormetric can do for you, please feel free to leave a comment below, or tweet me @SocialTIS.