Network security can fail first with retailers' own employees
As the holiday shopping season unfolds, merchants and consumers alike may fear the "unknown" of cyber attacks, envisioning a Target- or Home Depot-type breach.
But whether or not retailers are properly guarding their payment hardware and their in-store networks, a bigger issue might just be the workers who have access to retail organizations' data — including both regular staff and temporary holiday workers.
The number of permanent employees who accessed or sent sensitive data they should not have increased sharply to 30% in 2016 from 7% in 2015, according to IT and security professionals surveyed for Bay Dynamics' pre-holiday retail cyber risk report.
Fraud prevention technology provider Bay Dynamics surveyed 134 IT and security professionals at U.S. retail companies with more than 2,000 employees in October. Osterman Research conducted the survey.
In addition to knowing that sensitive data is being exposed, more security professionals are aware of employees who have access to such data. Last year, 14% said they were not sure if their employees sent data they should not have, but that number fell to 5% this year.
The majority of security professionals, at 64%, said they do not give temporary workers their own accounts, thus blocking access to sensitive data. The 36% who do allow temporary workers access to an account say they monitor the work of those employees more closely. Only 12% of survey respondents said they have no visibility into what their temporary workers are doing on the network.
Still, only 6% of security professionals say their temporary workers have access to personally identifiable information, and only 13% say their contractors can access that type of information.
“When comparing the 2015 retail cyber risk report to today’s, the data shows a significant improvement in how retail organizations are prioritizing cyber risk and security,” Ryan Stolte, co-founder and CTO at Bay Dynamics, stated in a release about the report.
“They view cyber security as a year-round commitment and therefore are limiting access to sensitive information for those workers who do not have their own accounts. They have more visibility into their employees’ actions, especially permanent employees who access highly valued data assets. Cyber security is no longer being put on the back burner and that’s a positive shift.”
With cyber security being viewed as a year-round commitment, IT departments are addressing vulnerabilities in a retail network more quickly, the report said. Almost 60% of those responsible for security said they patch a vulnerability within 48 hours of discovering it.
Companies are becoming more aware of security needs, but the majority still provide training for employees only once a year — with 27% doing it when an employee joins the company, and 34% scheduling it annually. Ten percent said they provide security training once a year before the holidays, while 8% said training takes place after a security problem has already occurred.