Incidents rise while budgets fall
The volume of detected incidents increased over 2013, but the massive size of several compromises was the real news. While there was a significant jump in incidents attributed to trusted third parties, the fastest-growing sources of security incidents are foreign nation-states, activists/hacktivists, and organized crime. We also found that security budgets fell 15% from 2013 even as risks multiplied.
Data governance is lacking
Some retailers take a compliance-checklist approach to information security without creating a governance framework for the creation, use, storage, and deletion of sensitive data. Strong data governance is essential, and will also demand that companies know where valuable information is stored, manage access, and govern its use by third parties.
An upsurge in third-party threats
Increasingly, cyber criminals are gaining access to retailers' networks and POS systems via third-party vendors and contractors. Despite this, many companies have not taken basic precautions to protect themselves. What's needed is a tiered vendor-management program that assesses, segments, and manages partners based on risks to the business.
New technologies and their risks
Companies continue to embrace technologies to connect with customers, boost operational efficiencies, and facilitate collaboration. But many adopt these technologies --including cloud computing, mobility, BYOD, and social media --before they can secure them. Finally, payment using “digital wallets” is gaining momentum and breach-wary consumers may opt to whip out smartphones rather than payment cards. No electronic payment system is 100% secure, however.
Toward a more strategic approach
Retail and consumer companies seem to be improving certain strategic security practices, yet there remains considerable room for improvement. More businesses recognize the importance of top-down commitment to security, collaboration with others, and cyber insurance. Conversely, implementation of some key safeguards has declined, including aligning information security strategy with business needs, identification of sensitive assets, and employee security awareness and training programs.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.