Target Practice: Where Retailers Are with Security

By Peter Bernstein, Senior Editor  |  March 17, 2014

It is almost impossible not to be painfully aware of the security challenges facing major retailers. We watched earlier this years as the Target (News - Alert) data breach seemed to grow in scope and level of malevolence, and upscale retailer Neiman Marcus revealed it also has been under attack. There is also the rampant speculation in the security industry that these revelations are actually just the tip of the iceberg, and more large retailers are in the bad guy cross-hairs. 

No retail enterprise of any size is immune from having proprietary customer and transactional data compromised. In fact, as the headline of this article indicates, a new survey from Sunnyvale, Calif.-based security solutions provider Fortinet finds that one in five U.S. small and medium businesses in the retailing sector are not even PCI (News - Alert) compliant and lack security fundamentals.

If ever there was a wake-up call for retailing SMBs to take a serious look at not just becoming more educated and enhancing security, the survey also pointed to the growing interest in onboarding retailing analytics to better understand and assess customer data and buying decisions.

The Fortinet (News - Alert) survey – based on interviews with 100 U.S.-based SMB retail organizations with fewer than 1,000 employees – highlights where SMBs stand in regards to compliance regulations, security policies and new technologies that help manage big data and security infrastructure.

Here are some highlights:

• While a majority of retailers are aware of an increasingly complex threat and regulatory environment and are applying best security practices and compliance policies, 22 percent of respondents are not PCI DSS compliant, and an additional 14 percent don’t know if they are PCI compliant or not.

• 55 percent are unaware of their state’s security breach requirements, and 40 percent lack any established policy adhering to those requirements. This creates the potential for regulatory compliance violations.

• The survey also found that many SMBs fail to employ strong security practices, such as policies to enforce password security. Fortinet says this puts them at risk for brute-force attacks, data breaches, and regulatory violations.

It almost goes without saying that if bad actors were to exploit the vulnerabilities of those without strong, never mind basic, security solutions and policies, the damage could be catastrophic. SMBs are hardly in a position to withstand the resulting regulatory fines, litigation, and the damage to their reputations. In fact, on the last point, the prospect of bad reviews going viral should be reason enough to appreciate the old adage that an ounce of prevention is worth a pound of cure.

On the encouraging side of things, the survey did register inquisitiveness about new technologies that provide better customer insights. It found that more than half of SMB retailers are looking to onboard retail analytics to help them understand purchasing trends and customer behavior in the store. Fortinet, based on its solutions portfolio, also inquired about customer interest in next generation security solutions that provide combined physical and network capabilities in a single appliance that could increase visibility, ease management problems and help be proactive as well as reactive in mitigating risks, and would reduce IT costs. On this front, it found a receptive audience with almost half of respondents saying they are familiar with the technology and either currently use it or plan to do so.

Fortinet delved a little deeper into SMB security issues regarding the increasingly valuable/invaluable area of Wi-Fi. Again this is good news and offers indications of a need to improve practices. Findings included:

  • 15 percent of retailers offering free guest Wi-Fi fail to enforce any kind of security policy thereby exposing customers to potential malware, while increasing the risk of infection for a retail network that is not properly segmented.  
  • Encouragingly, 60 percent of SMB retailers have password protections and enforce them regularly. 
  • Discouragingly, 40 percent don’t require their employees to change their password at least once a year.
  • SMB retailers are lax when it comes to disposing sensitive data – leaving bad actors a way to get at customer proprietary data. 59 percent of those surveyed said they have a data disposal policy in place, 29 percent lack any established data disposal plan, while 12 percent are completely unaware of their organization’s data disposal policy.

There are a few other insights of note from the survey.

  • 80 percent of respondents want to see physical security infrastructure, such as video cameras, DVRs, and alarm systems, housed in a single device that also manages network security mechanisms such as firewall, VPN, anti-virus and web application firewall.  
  • 53 percent said they are managing and maintaining their own security infrastructure on-site.
  • 18 percent now also rely on a managed security services provider to augment their security defenses.
  • 29 percent want to move more security functions to a third-party managed service provider.

There was also significant interest (59 percent) in retail analytics that can utilize Wi-Fi enabled smartphones to capture shoppers’ data. Of that 59 percent, 75 percent are either actively utilizing these analytics or have a strong interest in them. Interestingly, only 25 percent say they would not use such capabilities because they believe it is an intrusion on their customers’ privacy.

Peter Bernstein is a senior editor at TMCnet, the online entity of INTERNET TELEPHONY magazine parent company TMC (News - Alert).

Edited by Stefania Viscusi