With all the talk about the Target breach and now Neiman Marcus revealing one too, this new research from Fortinet is very timely. According to the survey of 100 small to midsize business (SMB) retail organizations, one in five retailers is not Payment Card Industry Data Security Standard (PCI DSS) compliant. And 14 percent have no idea whether or not they are PCI compliant.
It gets worse, as the Wall Street Journal pointed out:
Additionally, more than half (55 percent) of surveyed retailers are unaware of their state's security breach requirements, while 40 percent lack any established policy adhering to those requirements. This gap creates the potential for regulatory compliance violations if data is compromised, resulting in loss of customer data, financial penalties, litigation and damage to brand and reputation.
When I first heard about the Neiman Marcus breach, the newscaster seemed surprised at the gap between when the breach happened and when the information was released. I am going to assume newscasters also don’t understand state security breach requirements (nor do they understand just how quickly Target got the news out to its customers). To me, what this survey shows is the importance of creating a national breach disclosure law so everyone is on the same page and the confusions of the individual state requirements are lessened.
The survey also investigates the SMB retailers’ knowledge on retail Wi-Fi location-based analytics products and how Wi-Fi security is handled. The results of these questions are a little more favorable. The retailers understand the importance of security and the vast majority does deploy security protections for customers and employees. But there is still room to grow, as the Wall Street Journal stated:
Meanwhile, many SMB retailers are lax when it comes to disposing sensitive data–a shortcoming that potentially exposes consumer information to identity thieves. While almost three fifths (59 percent) of SMB retailers said they have a data disposal policy in place, 29 percent lack any established data disposal plan, while 12 percent are completely unaware of their organization's data disposal policy.
I hope the recent high-profile breaches act as a red flag for SMBs, showing the need for better security efforts to protect customer data. I admit, though, an overwhelming (and false) belief exists among SMBs that breaches only happen to big corporations. I’m not sure how we can stress to SMBs that if you have data of any kind that has financial benefit to a cybercriminal, they will find a way to steal it. SMBs are as much a target as, well, Target.