According to a recent survey by NTT Group, retailers are a popular target for cybercriminals, experiencing nearly three times as many attacks as the financial services sector. Recent research from Tripwire also noted that breaches in the retail sector with confirmed loss of personal information more than doubled from 2014 to 2016, from 14 percent of respondents to 33 percent.
Yet retail IT professionals reported that they are more prepared for handling breaches than they were two years ago. They are increasingly confident in their ability to discover data breaches, with 90 percent now claiming they can detect one within a week, compared to 70 percent in 2014. In fact, almost half of respondents believe they could detect a breach within 48 hours, according to Tripwire.
Are Retail IT Professionals Overconfident?
However, other research also conducted by Tripwire found that there is a gap between what IT professionals believe they can do and what they actually can. It concluded that some are overconfident in their security abilities.
Conducted in the financial services sector, the research found that 87 percent of respondents believe they can isolate or remove rogue devices from their networks within hours or even minutes. Unfortunately, the reality is that 75 percent can only detect four out of five such compromised devices, leaving gaping security holes.
Is this overconfidence affecting retail IT professionals as well?
Read the IBM X-Force research report on security trends in the retail industry
Implementation of Breach Detection Tools Stagnant
According to Tripwire’s retail research, the deployment of breach detection controls remains stagnant even as breaches in the retail sector soar. In both 2014 and 2016, 59 percent of retail IT professionals admitted that breach detection products were only partially or marginally implemented. For the purposes of the surveys, breach detection controls were defined as antivirus software, intrusion detection systems, malware detection, white-listing and file integrity monitoring.
According to the “2016 Data Breach Investigations Report,” 32 percent of security incidents in the retail sector were caused by point-of-sale malware. Breach detection controls would dramatically improve retailers’ abilities to withstand this type of attack, as would deploying network segmentation tools to prevent attackers from getting into systems and exfiltrating data.
Many Sectors Plagued by Overconfidence
Research from the U.K. government showed that overconfidence in security capabilities plagues not just the retail and financial services sectors, but all organizations. While that research found 49 percent of organizations claimed never to have experienced a security breach, the reality is that 90 percent of large organizations and 74 percent of small firms faced a cyberattack in the previous year.
The U.K. government cautioned that overconfidence could be the downfall of security in 2016, especially among smaller organizations. They have fewer resources and less experience than larger security teams but make up 99 percent of all businesses in the U.K. Cybercriminals are increasingly using these companies as conduits into larger organizations.
Further Controls Required
Organizations need to make sure they are adequately protecting their assets, especially given the use of cloud services and mobile devices, which means that data can be stored in more locations than ever before. Attackers are also becoming more sophisticated and are using a growing array of tools, techniques and procedures to breach organizations.
Effective identity and access management services are key for protecting sensitive data by controlling who can access what, with records kept of all access attempts. Organizations should also take a defense-in-depth approach to security. Instead of just relying on perimeter controls, they should beef up their network security to ensure that breaches can be more effectively detected.
Employee education and security awareness training are essential. All personnel must know their role in ensuring security. With spear phishing so prevalent, organizations would be wise to test their staff to see how they react so that they can focus extra training where it is needed.
These research studies indicated that the gap between knowledge and reality is too high when it comes to security. Organizations should look to ensure that the right controls are in place and properly implemented.
Senior Analyst, Bloor Research
Fran Howarth is an industry analyst and writer specialising in security. She has worked within the security technology sector for more than 25 years in an ad...