Based on findings from an independent U.S.-based survey of 100 SMB retail organizations with less than 1,000 employees, the survey revealed that a majority of retailers are aware of an increasingly complex threat and regulatory environment and are applying best security practices and compliance policies to keep safe. However, more than one in five retailers (22 percent) are not PCI DSS compliant, and an additional 14 percent don’t know if they are PCI compliant or not.
Additionally, more than half (55 percent) of surveyed retailers are unaware of their state’s security breach requirements, while 40 percent lack any established policy adhering to those requirements. This gap creates the potential for regulatory compliance violations if data is compromised, resulting in loss of customer data, financial penalties, litigation and damage to brand and reputation.
Further survey results show that many SMBs fail to employ strong security practices, such as policies to enforce password security, which puts them at risk for brute-force attacks, data breaches and regulatory violations.
With regards to looking ahead at new and innovative technologies, more than half of SMB retailers are looking to onboard retail analytics to help them understand purchasing trends and customer behavior in the store. And with an eye towards IT consolidation and cost reduction, a vast majority of SMB retailers would be interested in products that are able to combine both physical and network security functions in a single appliance.
Security improving, but holes exist
Fundamental security best practices continue to represent another major challenge for SMB retailers. Consumers may want to think twice about jumping on a free public wireless network. According to the survey, 15 percent of retailers offering free guest Wi-Fi fail to enforce any kind of security policy, such as blocking unacceptable content, malicious Websites or malware. This is a deficiency that exposes guests to potential malware, while increasing the risk of infection for a retail network that is not properly segmented.
Optimistically, 60 percent of SMB retailers have password protections and enforce them regularly. However, 40 percent of retailers don’t require their employees to change their password at least once a year, which dramatically increases their risk of data loss.
Meanwhile, many SMB retailers are lax when it comes to disposing sensitive data – a shortcoming that potentially exposes consumer information to identity thieves. While almost three fifths (59 percent) of SMB retailers said they have a data disposal policy in place, 29 percent lack any established data disposal plan, while 12 percent are completely unaware of their organization’s data disposal policy.
Retailers consider new ways to manage security, customer data
The survey indicated that SMB retailers are looking at new ways to streamline multiple security solutions to reduce costs and simplify management.
Congruent with consolidation trends, 80 percent of retailers want to see physical security infrastructure, such as video cameras, DVRs, and alarm systems, housed in a single device that also manages network security mechanisms such as firewall, VPN, anti-virus and Web application firewall.
Managing security is also changing. 53 percent of retailers said they are managing and maintaining their own security infrastructure on-site. However, 18 percent of retailers are now also relying on a managed security services provider (MSSP) to augment their security defenses, while another 29 percent are looking to move more security functions to a third party managed service provider.
Like many other industries, retailers are exploring the opportunities around retail analytics in order to better understand, assess and influence visitor behavior and directly target customers with promotions and deals. A significant majority (59 percent) of respondents state that they are familiar with retail analytics that can utilize Wi-Fi enabled smartphones to capture shoppers’ data. Of that 59 percent, 75 percent of respondents are either actively utilizing these analytics solutions or have a strong interest in them. Only a remaining 25 percent say that they are reluctant to use this type of technology out of respect for their customers’ privacy.
The survey also indicated that SMB retailers would be more likely to consider retail analytics if they were more knowledgeable about the technology. Of the 41 percent that said they are unfamiliar with retail analytics, almost half (49 percent) express that they would like to someday use the technology.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.