For two decades now, online attacks targeting retailers have been on the rise. According to a new report from 451 Research and data encryption and tokenization provider Thales, last year was no different.
It’s not all bad news in the report. But let’s first get the bad news out of the way. And it’s bad: 50 percent of U.S. retail survey respondents said that they were breached last year. That’s quite a high number. That’s a bit more than the 36 percent that represents the global average of all organizations and nearly double the direct comparison to their international counterparts at 27 percent. A surprisingly high 75 percent of U.S. retailers have been breached at some point.
Of course, retailers have been struggling with data security since the beginnings of eCommerce. Unfortunately, retail has historically been a laggard when it came to IT. In the late 1990s and early 2000s their websites were established with little concern for data and payment security. The fact that retail tends to be a low margin business didn’t help when it came to their IT and security investments. And the amount of data breaches in the sector at the turn of the century showed how poorly security had been taken at the time.
Managing the risks associated with cardholder data became a concern for the credit card companies. And each credit card company — Visa, Mastercard American Express, Discover — independently started their own data security standard. Eventually, they become the Payment Card Industry Security Standards Council (PCI SSC) and the Payment Card Industry Data Security Standard (PCI DSS) that we know today was born, with version 1.0 released in 2004.
Criticism of PCI DSS aside, and there’s plenty to go around with PCI DSS, retailers in the U.S. have remained behind when it comes to the level of data security they need but they have made improvements. And they are continuing to work to improve. As this survey shows, 84 percent of U.S. retail survey respondents plan on increasing IT security spending this year, up from 77 percent last year, and more than the global retail average of 67 percent.
In an unrelated report, security provider Gemalto’s 2017 Breach Level Index Report, with 199 data breaches, retail ranked tied for third place (with education) for the most breached industry. Healthcare was breached the most with 471 breaches and financial services second with 219 breaches.
Yet, retail security still appears lackluster. Interesting, according to the report, U.S. retailers are relatively high adopters of cloud, and the increased use of cloud tops the list of IT security spending drivers at 49 percent, well above the Global average of 39 percent, the report says. The rest of the investments are concerns around financial fines (45 percent), a hit to their reputation and brand (33 percent).
Regardless of PCI DSS and GDPR concerns, regulatory compliance declined as a strong driver of spending on IT security in U.S. retail. In fact, only 23 percent said that regulatory compliance is a driver of security spending. However, 41 percent of retailers outside the US cited regulatory compliance as a big driver in their data security spending decisions. “The higher Global average was likely influenced by this year’s arrival of GDPR in Europe, though we also note that this was only the second year that the impact of cloud computing was offered as a response option,” the report stated.
Despite not being a primary driver of data security spending, 83 percent of U.S. retail respondents did say that said compliance requirements are ‘very’ to ‘extremely effective’ in preventing breaches. Only 53 percent said the same last year. “It should be remembered that most compliance regulations focus on specific data sets, such as PCI DSS and credit card data, and are limited in their governance over other data types. Also, compliance regulations often lag leading- edge trends in threat vectors and cyber-attacks,” the report stated.
Additionally, the report had interesting findings when it came to what areas of security spending are now high-priority. According to the report, 43 percent of U.S. retail plan deploying cloud access security brokers, and 42 percent plan on deploying security information and event management systems. “Global retail priorities differ, however, with encryption with bring your own keys the top choice at 42 percent, well ahead of 30 percent for U.S. retail; identity and access management rank second (40 percent),” the report stated.
Other interesting findings in the report include:
- U.S. retail ranked analysis and correlation tools (91 percent) as the most effective solution for stopping breaches, and data-in-motion (90 percent) second.
- Despite having a higher propensity to store sensitive data in the cloud, only 26 percent of U.S. retail is implementing encryption in the cloud today, compared with 30 percent both in global retail and the global average.
- However, encryption/tokenization remain the top choices for securing emerging environments.
It’s good to see retailers taking additional steps to secure themselves, but they’re going to have to make sure that they invest in the proper processes and people with the right skillsets if they hope their security investments will provide long term risk mitigation.