By Ryan Stolte
Now that the holiday shopping season is here, it’s a good time to step back and think about how retailers are protecting shoppers’ valuable information. Whereas in the past, most companies adopted a “sell, sell, sell” mentality, this year, as revealed in our new 2016 Pre-Holiday Retail Cyber Risk Report, the mentality is shifting to “sell securely.”
Our Bay Dynamics’ 2016 Pre-Holiday Retail Cyber Risk Report is based on survey by Osterman Research, asking 134 IT and security professionals who work for retail organizations, about the cyber risks posed by permanent, temporary and contract employees. The findings, especially compared to our 2015 retail risk report, are uplifting. We are seeing a significant shift in how retailers are prioritizing cyber security.
Retail IT and information security professionals no longer view cyber security as a “seasonal” issue. As revealed in our new report, 56 percent of IT and security professionals say they do not feel more pressure during the holidays to secure their organizations vs. in 2015, when 66 percent, of respondents said they felt more pressure during the holidays to secure their organizations. The results mean that IT and security professionals are feeling pressure year-round to protect their organization’s valuable information. Cyber security and selling product now sit next to each other every day of the year on the priority list, as more organizations realize selling product and securing customers’ data go hand-in-hand. As we have seen from the various retail data breaches in the past few years, just one compromise creates brand damage and mistrust among customers. In the end, companies will sell more products if they sell securely vs. getting breached due to insecure practices.
Most of the statistics in the report reflect the overarching theme that cyber security is being made a top priority year-round. For example, there’s a four-fold jump (from seven percent to 30 percent) between 2015 and 2016 in the number of IT and security professionals who say their permanent employees accessed and/or sent sensitive data they should not have accessed and/or sent. There’s also a significant decrease (from 14 percent to five percent) in the number of IT and security professionals who say they are not sure if their permanent employees have accessed and/or sent sensitive data they should not have accessed and/or sent. The findings indicate that IT and security professionals have better visibility into the actions of their permanent employees. Whereas in the past they were “eyes wide shut” - meaning if they didn’t see a security violation, it didn’t happen - now they are more aware of what’s happening in their environment. One of the most popular methods of attacking an organization is either a legitimate insider using his/her credentials to steal sensitive corporate data or an outsider posing as an insider, using the person’s legitimate credentials to steal information. Criminals have realized that companies are getting better at locking the doors so now they are going after the keys. That’s why it’s important that IT and security professionals have full visibility into who is accessing their company’s sensitive data and how they are interacting with it.
On that note, the report also reveals a shift in how much access IT and security professionals are giving their temporary employees. The majority (64 percent) of IT and security professionals say they don't give temporary workers their own accounts, and for this segment of respondents it is also extremely unlikely those temporary workers are given access to sensitive data. For those who say they do (36 percent) give temporary workers their own accounts, they are also doing a better job monitoring those employees. Only 12 percent of respondents say they have little to no visibility into what their temporary workers are doing on the network. Temporary employees using shared accounts is nothing new, especially in the retail industry. However, what is new is that more of those employees are also not getting access to sensitive information. Since using shared accounts can pose a major security risk, it’s best to limit access to sensitive information for those employees who use those shared accounts. If a small portion of temporary employees need access to sensitive information to do their jobs, then companies should monitor their actions and flag anomalous behavior that may indicate a compromise in progress.
Limiting access to valuable information is one of the best ways to reduce cyber risk. The less people who can access it, the less opportunities for criminals to exploit them. As our report shows, retailers are increasingly getting better at limiting access with only six percent of IT and security professionals saying their temporary workers have access to personally identifiable information (PII), and only 13 percent saying their contractors can access PII. The finding is in line with the rest of the report, showing that retailers are prioritizing cyber security. They are feeling pressure year-round to secure their sensitive information; they are more closely monitoring their employees who have access to sensitive information; and are limiting access to sensitive information.
The overall takeaway from our report is one of hope. It seems that retailers are stepping up to the cyber security plate and are not only concerned about selling their products. They seem to understand that it’s more important to do the right thing, and protect their customers’ valuable information, vs. operating insecurely to make a profit.
About Ryan Stolte
Ryan is the co-founder and Chief Technology Officer at Bay Dynamics, a leading cyber risk analytics company that enables enterprises to prioritize security activities and direct their limited resources at their most important problems.