The Green Sheet Online Edition
December 12, 2016 • Issue 16:12:01
It's always Cyber Monday for security pros
As retailers brace for the holiday shopping crunch, the 2016 Pre-Holiday Retail Cyber Risk Report, dated Nov. 28, 2016 and published by Bay Dynamics, found that most security specialists take a business-as-usual approach to peak retail season. Findings are based on an independent survey conducted by Osterman Research Inc. of 134 security professionals at U.S. retailers with 2,000 or more employees.
Merchants tend to hire seasonal workers during high-peak traffic times, which can pose risks to their businesses, survey analysts noted. The survey questioned how information technology (IT) professionals share information among permanent, temporary and contracted workers, as well as response mechanisms to perceived cyber intrusions and threats.
Ryan Stolte, co-founder and Chief Technology Officer at Bay Dynamics said key differences between the 2015 and 2016 reports highlight changing attitudes among leading U.S. retailers. The study shows that many organizations have formalized their approaches to risk management and cybersecurity.
"They view cyber security as a year-round commitment and therefore are limiting access to sensitive information for those workers who do not have their own accounts," Stolte said. "They have more visibility into their employees' actions, especially permanent employees who access highly valued data assets. Cyber security is no longer being put on the back burner, and that's a positive shift."
Security a top concern
In a recent survey of small business owners by cybersecurity firm ControlScan Inc. and the Electronic Transactions Association, 89 percent of respondents said security was a top concern. When asked for three top factors that would confirm they had invested in the right payment technology, the leading response was "improved transaction security," followed by "improved customer experience" and "ease of implementation."
"Historically, small and mid-sized businesses have been singularly focused on cost factors when considering new point-of-sale technologies; things like the customer experience and enhanced security functionality were simply not part of the conversation," said Chris Bucolo, Director of Market Strategy at ControlScan. "But all that's begun to change as consumers become more vocal about what they consider a positive shopping experience."
The most effective way to reduce cyber risks is to focus on the most valued assets and the people who interact with them, Bay Dynamics analysts stated. "Organizations should identify where their most valued assets exist, who accesses them, how they access them and who governs those assets," they wrote. "No matter the types of employee, whether they are permanent, temporary or contractors, only those who must access valued assets to do their jobs should be given access."
Michael Osterman, Principal Analyst with Osterman Research found improved threat detection and response times among IT and security professionals, compared with previously published findings in the 2015 Pre-Holiday Retail Cyber Risk Report. "Most are patching their systems quickly, monitoring employee behavior more closely and limiting access to sensitive information, but there is definitely still room for improvement," he said.
Following are additional takeaways from the Bay Dynamics report:
- Always-on vigilance: 56 percent of respondents treat security as a year-round event; their degree of vigilance remains constant, with no significant changes during the holiday season.
- Increased employee oversight: 30 percent of IT professionals reported their permanent employees had access to privileged data, up from 7 percent in the 2015 report.
- Limiting access by temporary workers: 64 percent of respondents said they try to restrict temporary workers' access to data. The 36 percent who give them access to their own accounts are doing a better job of monitoring temporary workers.
- Restricting access across the board: 6 percent of IT and security professionals give temporary workers access to personally identifiable information (PII); only 13 percent said contractors can access PII. Findings show retailers are limiting access to their most sensitive data.
Downloadable copies of the 2016 Pre-Holiday Retail Cyber Risk Report and the 2015 Pre-Holiday Retail Risk Report are available at: http://baydynamics.com/resources/2016-pre-holiday-cyber-risk-report/ and https://baydynamics.com/resources/pre-holiday-retail-risk-report/, respectively.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.