Study finds Majority of Retailers Lack Fully Tested Breach Response Plan
Ever wondered how prepared retailers are to deal with a cyber attack?
In an effort to answer that question, Tripwire surveyed IT security professionals working in retail organizations about their experiences and attitudes towards factors affecting IT security. The results found that a large majority are not fully prepared for data breaches. Worrying signs especially with the festive shopping period upon us.
Of the respondents, only 28 percent of respondents said they have a fully tested plan in place in the event of a security breach. Twenty-one percent said their organization doesn’t have a plan at all, and the same proportion of respondents said they didn’t have the means to notify customers of a data breach within 72 hours, a requirement specified by the General Data Protection Regulation (GDPR).
“Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” said Tim Erlin, vice president of product management and strategy at Tripwire. “It’s encouraging that most respondents think they can meet the 72-hour notification window as set out in the upcoming GDPR, but if they haven’t tested their plans, I don’t know how confident they should be in that assumption.”
Only a small minority of the retail industry felt fully secure in their incident response capabilities. Twenty-three percent of respondents said they were “fully prepared” to absorb potential financial penalties. Even fewer professionals (15 percent) said they were fully prepared to manage customer and press communications following an incident.
Not all the survey’s findings were discouraging, however. The results did provide some hope that the industry is moving in the right direction. More than half of respondents (57 percent) said that their organization’s ability to detect and respond to a security breach has improved in the past year and a half.
“It’s really critical that organizations have a good view of what’s on their network at all times, that they harden their systems with secure configuration and vulnerability management, and that they are able to continuously monitor for change and are alerted to any drift outside the established security and compliance policies,” said Erlin.
There are a number of effective and established security control frameworks available to guide organizations, such as the CIS Critical Security Controls. Implementing even the most basic security controls can go a long way in improving an organization’s security posture.