Security

Retailers Are Facing an IT Complexity Problem, New Research Finds

IT leaders say that increased visibility across the business would improve their security efforts.

Twitter

Lily is a Senior Editor at BizTech Magazine. She follows tech trends and the IT leaders who shape them — reporting on entrepreneurial business, security and thought leadership.

Retailers have long been a target for cyberattacks, whether through supply chain breaches or point-of-sale hacks. They also handle billions of dollars a day and are tasked with keeping consumer credit card data safe. To combat threats, 68 percent of these organizations operate between 10 and 49 security tools or platforms, according to the 2024 CDW Cybersecurity Research Report.

The report surveyed 97 IT decision-makers and influencers from U.S. retailers. Many respondents noted the difficulties in managing this many tech tools and said that simply creating more visibility into their enterprise’s IT system would help improve their cyber resilience.

Click the banner below to read the 2024 CDW Cybersecurity Research Report.

One respondent said the biggest challenge is “disparate systems, some of which are legacy, that impede the deployment of systemic cybersecurity measures.”

Another cited “the complexity of IT environments, the rapid evolution of cyberthreats, limited resources for cybersecurity, and the need to comply with various regulations and standards.”

Solutions such as security information and event management, threat hunting, incident response, multifactor authentication and next-generation firewalls were some of the most used tools, but less than 50 percent of respondents were very confident that these did enough to bolster their cybersecurity initiatives.

Instead, leaders favored wider-scale defenses such as network security and data security, which enable retailers to improve connections across the enterprise rather than solving one vulnerability at a time through patch management, for example.

With data reaching every endpoint, this approach is likely the next phase in zero trust and cybersecurity. “I think it will be mostly around data protection and data security, data governance, and ensuring that data is appropriately identified, classified and that the appropriate guardrails are put in place,” says Stephanie Hagopian, vice president of security for CDW.

Operational downtime can cost $100 million-plus a week in some scenarios.”

Buck Bell Director, Global Security Strategy Office, CDW

Retailers Want More Visibility Into Their IT Systems

Retail respondents who were the most confident about their cybersecurity efforts had greater visibility into their IT systems. That’s no surprise, since seeing fault lines between integrations, network connection points or Internet of Things devices can help teams remediate threats before they escalate.

Respondents agreed that being able to visualize possible security gaps in the system increased preparedness. Respondents also said that Software as a Service helped them achieve that visual picture, with 66 percent calling it their top choice for procuring new IT tools and services.

For Buck Bell, leader of CDW’s Global Security Strategy Office, visualizing the entire IT system is critical because cybersecurity touches on all aspects of the organization. “The more holistic your view of the enterprise as a whole — not only the specific cyber risk itself but also the business impacts that are associated with it — typically, the more successful you’re going to be in your cyber resilience aims. From my perspective, cyber risk is business risk.”

42%

The percentage of surveyed retail IT leaders who feel “somewhat” prepared to respond to a cybersecurity incident

Source: 2024 CDW Cybersecurity Research Report

Getting to the Root of Cyber Incidents

Too often, IT leaders experience problems but fail to understand the root cause, the report reveals. Whether about IoT connectivity or artificial intelligence, this lack of understanding can also cut into a clear strategy for cyber resilience.

Retailers need to diagnose the issue before they can fix it, Hagopian explains. They can do that by talking with a tech partner for answers, connecting with peers or retracing the steps of a cyber incident.

Sometimes the culprit is an unlikely one. Take, for example, a new tool that is meant to simplify operations but instead causes disruption. “Various departments are purchasing their own technology and tools, so you have to retrofit that back into the central infrastructure and the centralized tooling that has been approved. And then there’s always shadow IT, where an end user could potentially purchase something in a silo,” Hagopian says.

Focus on Mitigating Risks and Reducing Downtime Costs

Retailers know they need to respond to a cybersecurity incident when it happens, but what about defensive planning? This involves identifying the biggest risk and coming up with a plan to mitigate it, Bell says.

Right now, about 8 in 10 of the retail IT leaders surveyed felt at least somewhat prepared for a cybersecurity incident, even with the challenge of integrating legacy tools. For those who felt less prepared, negative consequences such as the cost of operational downtime and the impact on brand reputation may be bigger motivators than, say, data exfiltration or compliance issues, Bell says.

A quarter of respondents had suffered $5 million to $10 million in downtime to their organization after a data breach in the past five years — and that’s on the lower end. “Operational downtime can cost $100 million-plus a week in some scenarios,” Bell says.

These are the kinds of opportunity costs that linger long after an attack. But even more important is the “basic sense of trust that tends to be compromised when a breach occurs,” Bell says.

Gorodenkoff / Getty Images