grandeduc - Fotolia

Retail cyber security spending ineffective as breaches rise

Cyber attacks on the retail sector are increasing, and although most retailers plan to increase cyber security spending, planned investments are unlikely to be effective, a report reveals

Half of US retailers experienced a data breach in the past year, up from 19% the year before, according to the retail edition of the 2018 Thales data threat report.

This increase drove US retail to the second most breached sector in the US after the federal government, putting it ahead of healthcare and financial services.

The increased number of data breaches in the sector means that three-quarters of US retailers polled have experienced at least one data breach, up from 52% a year ago.

At the same time, the report reveals that while the US retail sector is more inclined than others to store sensitive data in the cloud as widespread digital transformation is underway, only 26% report implementing encryption to keep that data safe.

According to the report, 95% of US retail organisations will use sensitive data in an advanced technology environment such as cloud, big data, internet of things (IoT) and containers this year. More than half believe that sensitive data use is happening now, in these environments, without proper security in place.

Each of these technology environments comes with unique security challenges, the report said, adding that as the attack surface increases, unique data security challenges need to be addressed.

Garrett Bekker, principal analyst for information security at 451 Research, said the increases come as no surprise to retailers.

“While nearly 95% of retailers acknowledge vulnerability, now almost half recognise they are extremely vulnerable,” he said.

“This is an increase of 30% of respondents from the previous year. While this trend can be partially attributed to US retailers aggressively pursuing a multi-cloud strategy, these organisations continue, year after year, to spend on the same security solutions that previously worked.

“With increasingly porous networks and expanding use of external resources such as software, platforms and infrastructure as a service, traditional endpoint and network security are no longer sufficient.”

The increase in attacks against the retail sector, the report said, raises questions about the relatively low level of spending on data security.

In the US, the traditional concerns about data security related to perceived complexity and business performance impact are now outpaced by a perceived lack of need, according to 52% of respondents.

Globally, the report said a lack of organisational buy-in was tied to 41% not perceiving a need for data security. “The message here is that management needs a sense of urgency, and instilling that may require IT to do a better job of selling the importance of data security,” the report said.

While US retail organisations are responding to the ever-increasing threat, with 84% citing plans to increase IT security spending and 28% noting the increase would be significant, the report said planned spending is not going to what respondents believe are the most effective defences.

While the retail sector recognises the need for encryption to protect sensitive data, both US and global retail ranked endpoint and mobile defences as those that will get the largest spending increase in the coming year, even though they rank them the least effective.  

Fortunately, more organisations are recognising the threat to cloud data, with 49% of respondents ranking cloud at the top of their IT security spending priorities.

Peter Galvin, chief strategy and marketing officer at Thales eSecurity, said this year’s significant increase in data breach rates should be a wake up call for all retail organisations.

“Digital transformation is well underway and the benefits of the cloud, big data, IoT and mobile payment technologies are compelling and fueling widespread adoption. However, with the flow of sensitive data through all of these disparate platforms and technologies, the attack surface increases exponentially and with it the risk of a data breach,” he said.

Read more about retail cyber threats

  • Statistics show retailers need to improve data security.
  • Retail data breaches still high as GDPR deadline looms.
  • Retail websites are riddled with security holes, researchers warn.
  • Continuous monitoring is key to retail cyber security, says Ponemon.

Read more on Hackers and cybercrime prevention