It almost seems like data breaches at retailers are inevitable. Several retailers have suffered high-profile data breaches so far in 2017, including Arby’s, Saks Fifth Avenue, Brooks Brothers and Kmart. While U.S. retailers report fewer breaches this year than last, many still feel vulnerable, according to a recent survey of retail executives.
Only 19 percent of U.S. retail respondents report being breached in the last year, significantly less than the global average (26 percent), and down from 22 percent the year before, according to the retail edition of the 2017 Thales Data Threat Report survey, which was conducted by 451 Research.
However, the vast majority of retail respondents (88 percent) consider themselves “vulnerable” to data threats, with 19 percent stating they are “very” or “extremely” vulnerable (though that figure is down from 39 percent in last year’s report).
Retailers can defend against or mitigate data breaches by encrypting data, setting up strong backup and recovery solutions, and working with outside partners to secure data or store it in the cloud.
The Security Picture for U.S. Retailers
Despite the drop in reported data breaches, the survey found that U.S. retailers may be failing to learn from past mistakes, since more than half (11 percent) of the 19 percent that were breached this year also experienced a breach previously.
“These distressing breach rates serve as stark proof that data on any system can be attacked and compromised,” Garrett Bekker, principal analyst for information security at 451 Research, says in a statement. “Unfortunately, organizations keep spending on the same security solutions that worked for them in the past, but aren’t necessarily the most effective at stopping modern breaches.”
IT security is clearly top of mind for U.S. retailers, as 77 percent of U.S. retail organizations are increasing IT security spending (up from 61 percent last year), the survey found.
However, Thales argues that retailers aren’t concentrating spending where it will make the most difference. The survey notes that 88 percent of respondents say network security is “very” or “extremely” effective at protecting data from breaches, but Thales argues that network security fails to keep out attackers and can’t protect data that is increasingly stored in the cloud.
U.S. retailers also are investing in technologies that have worked in the past, the report notes, with planned spending increases on network defenses (67 percent) and endpoint protection (63 percent). Data-at-rest approaches, which have proven to be effective at protecting the data itself, came in second from last (49 percent) in terms of retailer security spending priorities, according to the report.
While retailers are putting more sensitive data into technologies such as cloud and IoT environments — 95 percent of U.S. retail organizations plan to do so this year — a majority (53 percent) of respondents believe that sensitive data use is happening in these environments without proper security in place.
In terms of data security tools U.S. retailers plan to implement this year, cloud access security brokers (CASBs) tops the list at 42 percent. A CASB is a software tool that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure, TechTarget notes. CASBs serve as gatekeepers, “allowing the organization to extend the reach of their security policies beyond their own infrastructure,” the site reports.
CASB software edged out encryption with its bring-your-own-key (BYOK) solution, which 40 percent of U.S. retailers plan to deploy. Under BYOK, users hold the encryption keys for their own cloud data, CIO notes. Additionally, 39 percent of retailers plan to adopt multifactor authorization.
How to Guard Against Data Breaches
Thales says traditional network and endpoint security are no longer sufficient for retailers, since so much data is being put into the cloud. Retailers should create a disaster recovery plan and back up all sensitive data in multiple locations so they can recover any lost information, Cisco Systems notes in a post.
The report recommends several steps for retailers to take:
- Look for data security toolsets “that offer services-based deployments, platforms and automation that reduce usage and deployment complexity for an additional layer of protection for data.”
- Retailers also should “consider moving beyond compliance and adopting security tools such as encryption or tokenization that may be more appropriate as new technologies like cloud IoT and containers are increasingly adopted.”
- Encryption needs to move beyond laptops and desktops and include mobile devices, cloud environments, sensitive servers and containers.
- For data in the cloud, Thales recommends retailers encrypt and manage keys locally and use BYOK.
- To secure Big Data, retailers should “employ discovery as a complement to encryption and access control within” Big Data environments.
- Retailers should “encrypt and control access to data both within containers and underlying data storage locations.”
- For IoT data, retailers should “secure device ID and authentication, as well as encryption of data at rest on devices, back end systems and in transit to limit data threats.”