Retailers still unprepared for security breaches

The results of a new data security survey of U.S. businesses should not be surprising, but they are certainly alarming, and a new information technology executive survey highlights just how unprepared retailers still are.

High-profile data breaches such as Target (NYSE:TGT) and P.F. Chang's have been in the news since the start of the year, but IT executives said their companies' data is still not secure.

Even though 72 percent of IT executives say their companies suffered a data breach in the past 12 months, only 51 percent say securing confidential data is a high priority, according to a new Ponemon Institute report commissioned by Informatica.

In related news, 35 percent of U.K. banks and retailers said it would take as long as two to three days to detect a breach on their systems, according to a new Tripwire study. Twenty-four percent of those studied have already suffered a data breach where personally identifiable information (PII) was stolen or accessed by intruders. In addition, 36 percent of respondents do not have confidence in their companies' incident response plan.

"I always say that trust is not a control, and hope is not a strategy," said Dwayne Melancon, CTO for Tripwire. "Unfortunately, this data suggests that a lot of retailers are far too hopeful about their own cybersecurity capabilities. Despite ample historical evidence that most breaches go undiscovered for months, there is clearly a significant disconnect between perception and reality, even though the repercussions for failing to meet the required level of rigor around cybersecurity has led to the recent removal of retail executives and board members."

Roughly 70 percent of respondents said that the recent Target breach has affected the level of attention executives give to security in their organizations. But this doesn't extend to online-only retailers, who were less concerned with the Target breach; only 57 percent said it has increased the level of executive attention.

Shockingly, 26 percent of respondents don't evaluate the security of business partners, such as HVAC contractors who were implicated in the Target breach.

In the Ponemon study, among respondents whose companies suffered breaches, 58 percent said that the incident could have been avoided with more effective security technologies and 57 percent said they wished they had had more skilled personnel with data security responsibilities.

In addition, nearly 60 percent of retail respondents said that not knowing where sensitive data is located within their companies "keeps me up at night." "The majority of respondents agree that not knowing the location of data poses a serious security threat. Clearly, the time is ripe for a wider adoption of the technologies and expertise to make data-centric security an enterprise priority," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement.

Many retailers' sensitive data is not secure because too many employees can access it, Julie Lockner, Informatica's VP of marketing and business development, told Internet Retailer. "Those decisions are made outside of IT and IT might not even know about it," she says. "And once it's out there, getting it under control is like herding cats."

*An earlier version of this story originally appeared in FierceRetail's sister publication FierceRetailIT

For more:
-See this Internet Retailer article
-See this Ponemon Institute statement
-See this Tripwire statement

Related stories:
Domino's Pizza data hackers demand ransom
How to prevent Target-like data breaches
Will PF Chang's data breach speed EMV?
Shoppers stop buying online after breaches
Lowe's discloses breach of employee information