Security in an Insecure Retail World
Cyber breaches are down, but retailers are responding by cutting their security budgets.
By Maura Keller
In an age where technology controls many facets of a business, attention to cybersecurity is becoming paramount as marketers recognize how breaches can rob them of vital intangible assets.
PwC polled 836 worldwide retailer and consumer goods companies for its “2015 Global State of Information Security Survey” to provide an overview of the information security industry while highlighting cybercrime threats in the retail and CPG sectors. The survey found that retailers often are quick to adopt digital technologies before effectively securing them. This lack of security resulted in a 19 percent increase in detected incidents among retailers in 2014 over 2013. By contrast, CPG companies detected a decline of 14 percent over 2013, with a total of 2,065 incidents, compared with 3,447 incidents detected by retailers.
The number of overall security incidents detected may have increased due to companies deploying advanced network monitoring systems, thanks in part to the 61 percent rise in security spending in 2013. But that spending didn’t last. Information security budgets are down 15 percent over 2013, with retailers reducing their security investments more sharply than consumer goods companies.
“As our survey indicates, significant efforts have occurred over the past few years in monitoring and detection technologies, such as foundational capabilities,” says PJ Ritters, director of PwC’s retail and consumer practice. “As such, organizations are refining their overall protection strategies, altering their spend as needed to address cybersecurity threats, and enhancing people, process, and technology capabilities in order to mitigate risk. Organizations need to remain diligent, continually revisiting their strategies for protecting high-risk data, especially as business models and supporting IT landscapes change. With each change, new threats and vulnerabilities are introduced that require mitigation.”
As CPG and retail employees become more mobile by accessing networks, data, and applications remotely, only 56 percent of respondents, down from 69 percent in 2013, have the necessary technology to secure their remote-access software.
Although recent high-impact data breaches have been conducted by criminals who gained access to retailers’ networks and POS systems by attacking third-party suppliers, only 54 percent of survey respondents have established security protocols for vendors, suppliers, contractors and external suppliers. And while conducting risk assessments of third-party constituents is paramount, only 29 percent of respondents have third party monitoring programs in place, and 37 percent say they plan to add one in the near future.
But Ritters stresses that the threat of a breach is no longer an IT-driven issue. “It is a business issue, a persistent threat, that organizations, regardless of size or industry, are navigating,” Ritters says. “The frequency of breach reporting has increased public awareness and subsequent importance for mitigation. Simply stated, the bar for mitigating data privacy and security risk has been raised, not lowered due to an increased tolerance.”
So how do new payment systems, such as Apple Pay, affect consumers’ perception of cybersecurity? According to Ritters, the continuing maturity of the payment landscape is a step forward whether it be digital wallets, contactless payments, EMV, or other alternatives.
“However, while these emerging technologies potentially mitigate one element of risk, industry trends indicate that adversary motives and tactics will continue to evolve as business strategies change and business activities are executed,” Ritters says. “As such, new payment systems are only part of the overall solution for risk mitigation. Consideration should be given for determining how critical assets are potentially at risk and subsequently protected as retail and consumer products companies leverage loyalty and transaction data to enrich relationships. Payment data is but one data point that malicious threat actors can exploit for gain.”