Small Retailers Lack Basic Security

Sue Marquette Poremba
Slide Show

Five Things to Do Now for Greater Security and Compliance

With all the talk about the Target breach and now Neiman Marcus revealing one too, this new research from Fortinet is very timely. According to the survey of 100 small to midsize business (SMB) retail organizations, one in five retailers is not Payment Card Industry Data Security Standard (PCI DSS) compliant. And 14 percent have no idea whether or not they are PCI compliant.

It gets worse, as the Wall Street Journal pointed out:

Additionally, more than half (55 percent) of surveyed retailers are unaware of their state's security breach requirements, while 40 percent lack any established policy adhering to those requirements. This gap creates the potential for regulatory compliance violations if data is compromised, resulting in loss of customer data, financial penalties, litigation and damage to brand and reputation.


When I first heard about the Neiman Marcus breach, the newscaster seemed surprised at the gap between when the breach happened and when the information was released. I am going to assume newscasters also don’t understand state security breach requirements (nor do they understand just how quickly Target got the news out to its customers). To me, what this survey shows is the importance of creating a national breach disclosure law so everyone is on the same page and the confusions of the individual state requirements are lessened.

The survey also investigates the SMB retailers’ knowledge on retail Wi-Fi location-based analytics products and how Wi-Fi security is handled. The results of these questions are a little more favorable. The retailers understand the importance of security and the vast majority does deploy security protections for customers and employees. But there is still room to grow, as the Wall Street Journal stated:

Meanwhile, many SMB retailers are lax when it comes to disposing sensitive data–a shortcoming that potentially exposes consumer information to identity thieves. While almost three fifths (59 percent) of SMB retailers said they have a data disposal policy in place, 29 percent lack any established data disposal plan, while 12 percent are completely unaware of their organization's data disposal policy.

I hope the recent high-profile breaches act as a red flag for SMBs, showing the need for better security efforts to protect customer data. I admit, though, an overwhelming (and false) belief exists among SMBs that breaches only happen to big corporations. I’m not sure how we can stress to SMBs that if you have data of any kind that has financial benefit to a cybercriminal, they will find a way to steal it. SMBs are as much a target as, well, Target.



Add Comment      Leave a comment on this blog post

Jan 14, 2014 7:29 AM Kat Kat  says:
Good article Sue. Businesses do not have the level of protection a consumer enjoys and their accounts are a higher risk. Any small to midsize company is at risk for a targeted spear-phishing attack as a most usual attack venue. Security starts with knowing your risks and taking action to avoid these risks. A good program like Kevin Mitnick's from Knowbe4.com can help companies handle security awareness training as a first step to defense in depth as users are the most vulnerable point. Reply
Jan 15, 2014 4:45 AM Rachael Bateson Rachael Bateson  says:
This oh so true on this side of the pond as well... and the SMB's don't realise they are at risk and have the least chance of recovery in the even of a breach... Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data