theDocumentId => 744798 More Data Breaches in Store for US Retail Industry

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

7/20/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

More Data Breaches in Store for US Retail Industry

A report from Thales eSecurity and 451 Research finds that the security systems of US retailers are getting breached more often than their global counterparts. As a result, IT is rethinking its security spending.

US retail businesses are under increasing attack by cybercriminals and the number of data breaches affecting this industry are on the rise, according to a new study from Thales eSecurity and 451 Research.

The report, "2018 Thales Data Threat Report -- Retail Edition," finds that 50% of the US retail respondents reported at least one breach in 2017, which is greater than the overall global average (about 36%) and second only to the US federal sector (57%).

That 50% number is also greater than the global retail average, which stands at 27%. Additionally, nearly 75% of US retailers report that they have experienced at least one breach in the past year, compared to 60% of global retailers.

As if to emphasize the point, earlier this year, Panera Bread, Hudson Bay and Under Armour all announced that their systems were breached within a two-week span. (See Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch.)

The report is based on responses from 100 senior retail IT security managers in the US, along with 96 IT security managers from retailers in other countries.

(Source: creative Commons)

In addition to the other results, 49% of US respondents report that that they are "very" and "extremely" vulnerable to attacks on sensitive data, compared to the global retail rate of 35%.

This may be what causes an uptick in security spending.

Of the all the US respondents, 84% report that their organizations will increase IT security spending this year, which is up sharply from last year (77%) and higher than both the global average (78%) and global retail (67%). More than a quarter of both US retail and Global retail (28%) report that their spending this year will be "much higher."

However, the report finds retailers have obstacles to solving these problems. The lack of perceived need is the top barrier (52%) followed by impacts on business performance (47%) and perceptions of complexity (46%).

How retail is responding to the threat is somewhat scattered. While analysis and correlation tools were ranked as the most effective way of dealing with data breaches (91%), spending plans are highest for endpoint and mobile defense tools, despite their being ranked as the least effective defenses.

Further confusing the issue, defense of data-at-rest (57%) and data-in-motion (62%) defense were ranked at the bottom of spending priorities for US retail, despite having much higher results for effectiveness.

The report found that the drivers for IT security spending could be associated with certain areas. The increased use of cloud was the top driver at 49%, which is above the global average of 39%. This is followed in US retail by avoidance of financial penalties (45%) versus a global average of 39% -- and reputation and brand protection -- 33% for US retail.


Boost your understanding of new cybersecurity approaches at Light Reading's Automating Seamless Security event on October 17 in Chicago! Service providers and enterprise receive FREE passes. All others can save 20% off passes using the code LR20 today!

Compliance declined as a strong driver of spending on IT security in US retail: 23% versus 37% global average and 41% global retail.

However, at the same time, 83% of the US retail respondents felt compliance requirements are "very" and "extremely effective" in preventing breaches, compared to a 64% global average and 65% for global retail. Compliance focuses on specific data sets, such as credit card information, and they may lag real-world threats faced by IT.

In its conclusion, the report looks into the demonstrable cloud adoption by retail and recommends that the sector change its priorities:

With increasingly porous networks, and expanding the use of external resources (SaaS, PaaS, and IaaS most especially) traditional endpoint and network security are no longer sufficient, particularly for heavy adopters of public cloud resources such as the US retail sector. When implemented as a part of the initial development (for ease of implementation versus retrofitting at a later date), data security offers increased protection to known and unknown sensitive data found within advanced technology environments like cloud, containers, Big Data and IoT. Retail organizations should consider moving beyond compliance and adopting security tools such as encryption or tokenization.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3663
PUBLISHED: 2021-07-25
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
CVE-2021-23413
PUBLISHED: 2021-07-25
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...