It’s the busiest season of the year for the retail sector, one where more temporary staff come online, more people come in through the door, and more rush puts the pressure on an already difficult job of protecting data. According to a new report, many retailers entered this season with a “false sense of confidence” about their ability to secure sensitive information, when this same report found many gaps in data protection.
According to the Breach Confidence Index, which we discussed recently, 83% of organizations claimed to be “fairly” or “very” confident that their business was secure against a data breach. This contrasts with published statistics showing that almost half of all organizations suffered at least one serious security incident / data breach in the past 12 months. In the Pre-Holiday Retail Risk Report published by Bay Dynamics this month, 80% of retailers rated themselves at 6/7 or 7/7 in terms of being “proactive” in identifying critical assets that must be protected, detecting theft or data leakage and controlling employee access to critical assets. In essence, the majority of retailers believe themselves quite confident in their data protections.
Drilling down into the report, we see how this overconfidence does not match up with reality:
“This highlights a critical problem in the retail industry: much of what employees do from a security perspective is “under the radar” and more or less invisible to IT and security management,” notes the report.
As we discussed before, this overconfidence—this lack of fear—can cause organizations to become complacent in their security preparedness. During the busy holiday season, these already poor security controls are exacerbated by the influx of temporary workers who have likely not undergone a rigorous hiring or training process, particularly when it comes to data security. Given that “people” are at the core of most data breaches, this is a risky situation for retailers.
As is recommended by the Bay Dynamics report, part of the solution lies in understanding the risk that “people” (employees, vendors etc) pose to security and focusing on ways to minimize those threats. At Absolute, we advocate for a “people, process and layered technology” approach, one which emphasizes the need for a data-centric approach to security. Control who has access to what data, train people well, and have technologies in place to automatically alert of suspicious behaviour, such as we provide at Absolute.