Risk // Compliance
4/24/2014
08:30 AM
Tim Wilson
Tim Wilson
Quick Hits
50%
50%

Report: Some Retail Firms Still Don't Recognize Cyber Security Risks

Nearly 10 percent of retail firms have not reported any cyber security exposure to the SEC since 2011, Willis Group says.

Nearly 60 percent of retail companies describe their cyber security exposure as "significant," "serious," or "critical," but another 9 percent are not reporting any cyber security exposure at all, according to a report published Wednesday.

According to a study of filings with the Securities and Exchange Commission conducted by risk advisor and insurance broker Willis Group Holdings, almost a tenth of retailers have not reported any cyber risk in financial documents filed with the SEC, which has required such reporting since Oct. 2011. The report describes the non-disclosure as "surprising," given the high-profile breaches recently discovered at retail chains such as Target, Michaels, and Neiman-Marcus.

Among those that did report cyber exposure, the top three risks cited were privacy/loss of confidential data (74%), reputation risk (66%), and cyber liability (61%). Cyber risk at the hands of outsourced vendors ranked at just 9%, a result Willis also describes as "surprising," given the level of outsourcing across the sector and retailers' heavy reliance on third-party technology partners.

Almost half (49%) of retail companies cited the use of technical safeguards as a chief remedy for cyber risk -- more than the Fortune 1000 as a whole (43%), the report states. However, 17% of retail companies reported inadequate resources to limit cyberlosses.

Less than one tenth (9%) of the retail sector indicated that they have purchased insurance for cyber exposures.

Chris Keegan, senior vice president for e-risk at Willis North America and co-author of the report, says the retail industry is "slightly behind the curve" in protecting itself against cyber security threats.

"A series of recent high-profile cyber breaches has pointed a government spotlight at the sector, and Willis expects this scrutiny to continue," Keegan says. "Our advice for retailers is: Don’t wait for the SEC to come knocking on your door."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/25/2014 | 3:33:15 AM
Re: Limited Resources
I'm not surprised. Retailers still have perception of security as a cost. The worrying aspect is that the majority of attacks is not reported for various reasons, because the fear of reputation lost or simply because they go undetected for a long time. 

It is necessary a joint action by retailers, security firms and government .... the phenomena are really alarming
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/24/2014 | 3:08:44 PM
Limited Resources
For the companies that can't use third party security vendors or many detection/prevention tools it should be noted that policy, access management and infrastructure are advocates towards one can be added safeguards. Granted there is cost in the labor of your employees but these methods will prove a short ROI when it comes to regulations/fines. First part is infrastructure. Analyze your network and ensure that items that don't need to be vulnerable to the internet are not. There are many ways that analysis and moving items of your infrastructure can safeguard your data. For access management ensure that the employee is provided the least amount of access available to complete their tasks. Too much access will be detrimental in case of a breach. With well documented policies, most possible secure infrastructure, and efficient access management; resources can be kept safer than in the current predicament at minimal cost.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report