Whenever you hear about a high-profile security breach these days, the immediate assumption is that another giant retailer has been compromised. Target, Michael’s Stores, Nieman Marcus, P.F. Chang’s, Goodwill Industries… the list of retailers plagued with massive, hugely expensive, confidence-killing security problems keeps growing and growing.
Reactive retailers have to take more responsibility
But why do retailers get hit so hard while other industries skate by untouched? Retail execs defend their security practices, but Stephen Boyer, founder and CTO of security ratings firm BitSight Technologies, says it’s often their own fault. “At BitSight, our data shows that detection and response capabilities in retail, as a whole, are not on par with other industries,” Boyer told me in an email. “Attackers are learning that retail has largely been reactive in its security strategy and does not take precautions to prevent a breach until after an incident has occurred. You may recall that it wasn't until after Target and Neiman Marcus experienced their breaches that they created a CISO position.”
Despite the dangers, according to BitSight, retailers’ security ratings continue to deteriorate (see chart below), and the company expects things to get worse before they get better.
It doesn't help that retailers make such inherently fat targets.
"With billions of transactions occurring on a daily basis both online and in stores, retail is an obvious target for attackers," Boyer added. "With multiple physical locations and with hundreds to thousands of networked endpoints, they have a very large attack surface, leaving lots of room for vulnerabilities."
Financial services sets the security standard
So what can be done about this alarming situation? The solution, says Boyer, requires retailers (and health-care providers, who share many of the same vulnerabilities whose security ratings are also plummeting) to "move beyond a compliance focused strategy and recognize that just being PCI compliant is not enough. Being secure will make you compliant." Boyer suggested that retailers emulate more secure sectors:
"The number one thing we see in top-performing industries like financial services is that the culture of security risk management extends all the way to the top. Making security a board-level issue is key to improving security posture, and that starts with installing risk teams and assigning responsibility across the company. Having a C-level function who can report back to the board on important performance issues and indicators is essential."
Not surprisingly, Boyers also noted that the aerospace/defense sector is "highly innovative in its approach to network security," perhaps because of the nature of the information it guards. The companies also commit to large cybersecurity budgets and prioritize employee education.