Are retailers overconfident when it comes to cybersecurity?

When asked how quickly their organizations would detect a data breach, 42 percent of retailers in a recent survey believed it would take 48 hours. Another 18 percent said 72 hours, and 11 percent believed it would take a week. Yet industry research indicates most breaches go undiscovered for weeks, months or even longer.

That’s at least according to the sponsor of the study, Tripwire, a provider of security solutions. In a statement, its chief technology officer, Dwayne Melancon, said the survey data "suggests that a lot of retailers are far too hopeful about their own cybersecurity capabilities."

The survey of 154 retailers conducted by Dimensional Research further found that 35 percent of respondents were "very confident," while 47 percent were "somewhat confident" that their security controls could detect rogue applications such as those used to exfiltrate data during data breaches.

But much more concern was detailed in several cybersecurity surveys Tripwire provided:

  • The Mandiant 2014 Threat Report indicated that the average time required to detect breaches was 229 days. The same report also found that the number of firms that detected their own breaches dropped from 37 percent in 2012 to 33 percent in 2013.
  • The 2014 Verizon Data Breach Investigations Report indicated that 85 percent of point-of-sale intrusions took weeks to discover, and 43 percent of web application attacks took months to detect.
  • 2014 Trustwave Global Security Report revealed that retail is the top target for cybercriminals, comprising 35 percent of the attacks studied.

tripwire data breach cht

The retailer survey did find that 70 percent of respondents said that the recent Target breach had affected the level of attention executives give to security in their organizations.

The findings come as another new survey of 750 consumers sponsored by Brunswick Group, a corporate communications firm, found 61 percent of consumers hold retailers responsible for data breaches, not far from the blame placed on criminals (79 percent). Only 34 percent blamed the banks that issue debit and credit cards. About a third (34 percent) said they no longer shop at a specific retailer due to a past data breach issue.

BrainTrust

Discussion Questions

Are retailers overconfident about their risk levels when it comes to security breaches? What lessons do you think retailers have learned from major breaches that have been made public over the past couple of years?

Poll

14 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Dick Seesel
Dick Seesel
9 years ago

The ability of retailers to patrol their cyber-borders has been called into question by the Target data breach and many similar incidents. The bad guys seem to have the skill and speed to breach whatever boundaries are put in their paths by the most skilled IT teams. So, yes—overconfidence is a problem, especially when measured against consumers’ lack of faith about the same issue.

As to lessons learned? I would focus on faster reaction time to a data breach, as well as a more aggressive approach to a systemic and preventive solution. This may not solve 100 percent of the data breaches but will hopefully cut down on their frequency or severity.

Nikki Baird
Nikki Baird
9 years ago

They are definitely overconfident, and the problem is not an IT issue, but a corporate governance issue. In the omni-channel strategy survey we are in the process of analyzing (due out in August), a depressing two percent of retailers who responded to the survey said that consumer data security was a challenge for them. Sure, it’s on the IT guy to make systems secure, but the Target breach wasn’t just a tech hack. It was phishing and all kinds of fun and games that took in business users, not ITers. It takes a community—a community of engaged people who take the issue seriously—to protect customer data.

Ryan Mathews
Ryan Mathews
9 years ago

Of course they are over confident. If they were more paranoid there would be fewer breaches in the first place.

As to lessons learned, I’m afraid I don’t see much progress. The migration to the digital age means retailers will have to assemble a whole new set of skills and maybe, in some cases, new HR requirements. It may be time for retailers to do what governments do—hire hackers to protect them from other hackers.

These breaches are serious and massively disruptive. And this is an area where the bad guys are clearly ahead a new crop is raised seemingly every day.

David Livingston
David Livingston
9 years ago

Lesson number one, don’t make it public. We see the problems Target had by making it public information. Consumers were alarmed, jobs lost and there were considerable expenses incurred to repair it. It makes for terrible public relations. Were consumers harmed? Not really; more alarmed than harmed. In my opinion all retailers have been breached and we only hear about a very small fraction. As a consumer, we need to take personal responsibility in locking up our credit. Just like when we lock our doors at the big box parking lot, we need to lock up our credit so no one can peek inside.

Ian Percy
Ian Percy
9 years ago

In truth, they haven’t learned much. To put it bluntly: “It’s the software, stupid!”

Weinberg’s Second Law states, “If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.” Eugene Spafford, a noted computer security expert, said that “Instead of building secure systems, we are getting further and further away from solid construction by putting layer upon layer on top of these systems … The idea is for vendors to push things out rather than get things right the first time.”

Fewer than 20 percent of organizations have any plan to deal with the pathetic performance and vulnerability of faulty software. Roger Sessions, the complexity theorist, says this is an annual trillion dollar cost to the US GDP and it’s growing by 15 percent per year. Like having the financial crises over and over again, getting worse each time.

Still, most people think that this is part of the divine order. That nothing can be done about the software that is “eating our world” (which is how entrepreneur and investor Mark Andreessen describes it). Consumer privacy and retailers’ cyber security can be secured ONLY on the foundation of fault-free software.

Instead of assuming that fault-free software is an impossibility, readers might want to take a look at this just-published article from the Information and Privacy Commission of the Government of Ontario, Canada. It’s titled: “A New Possibility for Security and Privacy by Design: Fault-Free Software.”

Jason Goldberg
Jason Goldberg
9 years ago

The respondents to that survey are way too overconfident. But I wonder who the respondents were, and what their role was in the retail organizations. Tripwire doesn’t seem to tell us who they are surveying.

If you think you’re discovering a breach in 48 hours, you’re basically saying you’ll catch any breach proactively, because sites are almost always breached weeks or months before the first theft occurs.

Over 91 percent of all public retailers list breaches as a business risk factor in their 10K disclosures, and more than 50 percent of retailers call that risk significant.

I talk to a significant number of retail c-suite executives in my daily work, and my own impression is that that there is HUGE sensitivity and caution around security. In many retail organizations it’s literally changing the pace of innovation, as retailers are evaluating the security implications of all new initiatives (causing them to proceed much more cautiously).

Ed Rosenbaum
Ed Rosenbaum
9 years ago

If it takes 48-to-72 hours at the minimum to detect a serious security breach, we are in a load of trouble. Can you imagine how much the cyber crooks will have amassed in that length of time?

Bill Davis
Bill Davis
9 years ago

The majority of retailers are overconfident about their abilities to determine security breaches. When a major breach like the one that impacted Target over the holidays is discovered, many retailers might do a check to see if a similar issue is impacting them, but pretty quickly it is business as usual, so I would suggest the majority haven’t really taken these lessons to heart yet.

Gordon Arnold
Gordon Arnold
9 years ago

I am educated, certified and experienced in IT auditing for systems security, business continuity and disaster recovery. Having performed a large number of audits and seeing firsthand how many companies are ill-prepared in any of the mentioned criteria I can assure you it is quite a mess in the general business world. Owners and executives totally rely on the IT department heads and they in turn rely on the vendors for assurances. The result is what we are reading about today, with massive data breaches happening at an alarming pace. The loses are largely falling to banks and insurance companies that are still suffering from the mortgage loan crisis. As time goes by with little or no resolution to curtail these issues, the potential for another economic disaster is going from risks to assurances.

Mark Burr
Mark Burr
9 years ago

I do not believe that retailers, of course dependent upon size, are overconfident. I believe they are more likely overwhelmed, out numbered and doing the best they can against an army attempting to overrun them at the rate of thousands of attempts per second.

Sure, have their been lessons learned from major breaches? Of course. However, those paths are closed for now for anyone that is minimally on top of their security.

Retailers can learn, improve, and create barriers, however, those they are facing are far larger and far more intent on getting in than retailers can protect against at their level of resources.

No system, payment system, or network is impenetrable. It is a matter of determination. That would be a better question. Are retailers more determined to protect themselves from risk then the army of those attempting to beat them?

The answer so far is obvious. Nevertheless, it is also naive to think major retailers aren’t trying to fight. They are simply up against a greater army than their resources can possibly fight against. It is a security war that will never end, and the tactics will continuously change faster than retailers can discover and protect against them.

Shep Hyken
Shep Hyken
9 years ago

I think retailers know that this is a hot topic, and recognize that it is a fight that they will have to always fight. Let customers know you take preventative measures. Enlist companies like AllClearID to insure customers against identity theft in the case of a breach. In other words, be proactive.

Lee Kent
Lee Kent
9 years ago

We’ve all grown up with Mission Impossible or some other high-tech espionage enough to be reminded that there are bad guys, and even some good guys, who WILL find a way in.

My mind is telling me that it is time to step into the 22nd Century and stop thinking about how thick the walls are, how monitored the pipe is, etc. Encryption? We’ve seen enough TV to know that someone can break the code and sometimes we are even rooting for it. 😉

No, let’s start thinking about how we make sure that all the critical data pieces that anyone would be after are NEVER in the same place at the same time. Each little puzzle piece is its own bundle, never transmitted in the same order.

Ok, I am not a master mind in this area, but you catch my drift, don’t you? Technology is there for the taking and there is a 22nd Century answer that CAN be found in the 21st Century. I’ll bet my 2 cents on it!

Cathy Hotka
Cathy Hotka
9 years ago

This is a problem that retail companies can fix only one way—by outsourcing their data assurance programs to experts who do this all day. Target was anything but lackadaisical when it came to security, and look what happened there. If retail companies don’t want their CEOs testifying before Congress about their next breach, they should turn their security concerns over to a company that handles zero-day exploits for a living.

I’ll be concentrating on this in the next few quarters; watch for more soon.

Verlin Youd
Verlin Youd
9 years ago

The simple answer is yes, retailers are indeed overconfident when it comes to risk levels, preparedness, and ability to discover security breaches, let alone address them proactively in order to minimize negative results.

There are many reasons for this, including complete lack of real cyber security education both within retailers as well as within institutions that train retail professionals. Some technical education is available for IT personnel, however, today’s as well as tomorrow’s retail leaders need an education in cyber security just as they need an education in merchandising, leadership, buying, store operations, financial analysis, etc.

I am afraid that the motivation to drive such education will not materialize until we have several more high-exposure and high-impact incidents.