Digital Transactions Authoritative, insightful and timely information for payments professionals
With data breaches continuing to plague the payments business, and with major incidents like that of Target Corp. still fresh in the minds of payments professionals, you might think retailers would be cautious these days about their ability to ward off attackers.
Not so, according to survey data released Tuesday by Tripwire Inc., a Portland, Ore.-based vendor of security and compliance software. The company, which canvassed more than 200 information-technology professionals working for retail organizations large and small, found merchants’ security confidence rising remarkably in the two years since a similar survey in 2014.
Asked how fast they could detect a breach occurring on so-called critical systems, some 75% of the retail security pros said they could do it within 48 hours. Two years ago, in the wake of the highly publicized Target breach, just 42% said they could do it that quickly. The proportion of respondents who said they have no confidence they could detect a breach quickly has shrunk from 20% to 5%, according to the Tripwire data.
Yet other results of the survey seem to belie this increasing level of confidence. One-third of the respondents said they have sustained an incident where personally identifiable information was stolen or accessed by hackers, up from 14% two years ago,
Moreover, 59% reported they had only “partially” or “marginally” deployed breach-detection products. These were defined for the survey as anti-virus software, intrusion-detection systems, malware detection, white listing, and file-integrity monitoring. The same proportion reported partial or marginal integration in 2014. This year, some 2% said they had not integrated such products at all, an improvement from 8%.
Such results indicate a disconnect in merchants’ thinking about security, Tripwire says. “The increase in confidence connected with speed of breach detection is particularly surprising, especially in combination with partial implementation of detection tools,” Tim Erlin, director of IT security and risk strategy at the company, said in a statement. “Together these results indicate while retail organizations might feel better about their cyber-security capabilities, there’s still a long way to go to close the gap between initial compromise and detection.”
There were 523 “security incidents” in the retail sector in 2015, according to the latest Data Breach Investigations Report released by Verizon. Of these, 164 involved a confirmed loss of data.
Tripwire’s survey was conducted for the company by Dimensional Research.
