Nearly 75% of IT security professionals from the retail industry say their companies do not have a fully tested plan to address a security breach, according to a Tripwire report today.
Some 28% of survey respondents do have a fully tested breach plan, while 21% lack a plan altogether, the report notes.
Additionally, 21% of survey respondents say they don't have the means to notify customers of a data breach within 72 hours of its occurrence. That runs counter to the requirements of the General Data Protection Regulation (GDPR), which in May begins the financial penalty phase for noncompliance. GDPR fines can reach as high as 4% of a company's revenues.
Only 23% of survey respondents feel fully prepared to incur financial penalties, the survey says. "Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach," says Tim Erlin, vice president of product management and strategy at Tripwire, in a statement.
Read more about the survey here.