Risk // Compliance
4/24/2014
08:30 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Report: Some Retail Firms Still Don't Recognize Cyber Security Risks

Nearly 10 percent of retail firms have not reported any cyber security exposure to the SEC since 2011, Willis Group says.

Nearly 60 percent of retail companies describe their cyber security exposure as "significant," "serious," or "critical," but another 9 percent are not reporting any cyber security exposure at all, according to a report published Wednesday.

According to a study of filings with the Securities and Exchange Commission conducted by risk advisor and insurance broker Willis Group Holdings, almost a tenth of retailers have not reported any cyber risk in financial documents filed with the SEC, which has required such reporting since Oct. 2011. The report describes the non-disclosure as "surprising," given the high-profile breaches recently discovered at retail chains such as Target, Michaels, and Neiman-Marcus.

Among those that did report cyber exposure, the top three risks cited were privacy/loss of confidential data (74%), reputation risk (66%), and cyber liability (61%). Cyber risk at the hands of outsourced vendors ranked at just 9%, a result Willis also describes as "surprising," given the level of outsourcing across the sector and retailers' heavy reliance on third-party technology partners.

Almost half (49%) of retail companies cited the use of technical safeguards as a chief remedy for cyber risk -- more than the Fortune 1000 as a whole (43%), the report states. However, 17% of retail companies reported inadequate resources to limit cyberlosses.

Less than one tenth (9%) of the retail sector indicated that they have purchased insurance for cyber exposures.

Chris Keegan, senior vice president for e-risk at Willis North America and co-author of the report, says the retail industry is "slightly behind the curve" in protecting itself against cyber security threats.

"A series of recent high-profile cyber breaches has pointed a government spotlight at the sector, and Willis expects this scrutiny to continue," Keegan says. "Our advice for retailers is: Don’t wait for the SEC to come knocking on your door."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/25/2014 | 3:33:15 AM
Re: Limited Resources
I'm not surprised. Retailers still have perception of security as a cost. The worrying aspect is that the majority of attacks is not reported for various reasons, because the fear of reputation lost or simply because they go undetected for a long time. 

It is necessary a joint action by retailers, security firms and government .... the phenomena are really alarming
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/24/2014 | 3:08:44 PM
Limited Resources
For the companies that can't use third party security vendors or many detection/prevention tools it should be noted that policy, access management and infrastructure are advocates towards one can be added safeguards. Granted there is cost in the labor of your employees but these methods will prove a short ROI when it comes to regulations/fines. First part is infrastructure. Analyze your network and ensure that items that don't need to be vulnerable to the internet are not. There are many ways that analysis and moving items of your infrastructure can safeguard your data. For access management ensure that the employee is provided the least amount of access available to complete their tasks. Too much access will be detrimental in case of a breach. With well documented policies, most possible secure infrastructure, and efficient access management; resources can be kept safer than in the current predicament at minimal cost.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.