Retailers far behind tech firms in IT security spending

Seeing what is happening to their customers and feeling the heat from possible threats, technology companies are increasing spending on security for their own systems, according to a survey of chief financial officers. Meanwhile, incentives to spend big on security are still in short supply for retailers and other private companies.

According to the annual 2015 BDO Technology Outlook Survey, which sourced its information from 100 U.S. technology CFOs, 67 percent of respondents have increased spending on cybersecurity measures in the past year. Of those, 90 percent have implemented new software security tools, 72 percent have created a formal response plan for security breaches, 48 percent turned to an external security consultant, and 30 percent hired a chief security officer.

"The threat assessments of likely cyberthreats from unknown entities is causing the tech industry to be on high alert," said Aftab Jamil, partner and leader of the Technology and Life Sciences Practice at BDO USA, LLP, in a statement. "In addition to navigating everyday business challenges—both domestically and internationally, managing operations and maintaining compliance with regulatory requirements—U.S. companies will also need to implement or enhance their data privacy initiatives to mitigate any risks or vulnerabilities to their IT infrastructures, particularly with cyber capabilities evolving at rapid speed."

CFOs at technology companies may have a greater degree of awareness about cybersecurity, wrote Steven Norton in CIO Journal, a news and information service of the Wall Street Journal. These CFOs are taking a more active role in managing cybersecurity, the findings suggest. "Following a number of high-profile breaches, security has become a priority for more members of the C-suite and board of directors, and has spurred a flood of new security tools and personnel," Norton wrote.

Meanwhile at retail companies, the financial incentives to spend on information security are low, even following high-profile breaches, wrote Benjamin Dean in The Conversation.

"The actual expenses from the recent and high-profile breaches at Sony, Target and Home Depot amount to less than 1 percent of each company's annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less," wrote Dean, a fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University. As a result, there is less pressure for retailers to spend big on security than what technology CFOs might think.

For example, the Target breach in late 2013 involved 40 million credit and debit card records, in addition to 70 million other records, such as addresses and phone numbers, Dean said. However, in recent financial statements, Target reported that the gross expenses from the breach were $252 million, which was reduced to $162 million after insurance reimbursement, and then $105 million in net losses after tax deductions.

"This is the equivalent of 0.1 percent of 2014 sales," Dean wrote.

Home Depot's breach last year resulted in 56 million credit and debit card numbers stolen, while 53 million email addresses were taken.

"The net expenses incurred by Home Depot ended up at $28 million following an insurance reimbursement of $15 million. This represents less than 0.01 percent of Home Depot's sales for 2014," Dean added.

"These numbers suggest that we have a market failure relating to asymmetric information, which results in the problem of 'moral hazard' for private companies in the area of information security. Moral hazard occurs when one person or organization takes greater risks because others bear the burden or costs of those risks... It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not. The insurance payouts and tax deductible breach-related expenses weaken the incentives even more."

Dean went on to note that while there is a strong case to be made for government intervention, current initiatives encourage private businesses to share their information more freely with entities in the public sector. "Information security experts widely agree this will not significantly reduce data breaches," Dean wrote. "Improving information security should fundamentally involve securing information, yet all the current proposals involve greater information sharing with intelligence agencies.

"If we don't identify and address these contradictions, we run the risk of creating something much worse than the current information security problem. The latest slew of government proposals raise more questions than answers regarding information security—and they are very concerning questions indeed."

Dean's points, though well taken, may not reflect the current state of IT spending on security. Observers pointed out that recent research studies have shown an uptick in retail IT spending, particularly in the area of data security. For instance, IHL has reported that the overall IT spending in the United States will see a year-over-year rise of 5.7 percent in 2015, driven by investments in payment systems and data security, among other things, as noted in a Retail Solutions article published in September of 2014.

For more:
- See this BDO USA, LLP press release
- See this CIO Journal blog post
- See this article in The Conversation
- See this Retail Solutions article

Related stories:
Home Depot confirms 53 million email addresses stolen, blames Windows
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot may have left data vulnerable
Home Depot and Target hacks the work of different groups