US Retailers “Overconfident” on Cyber Security Issues
Portland, OR – US retail firms are confident in their ability to quickly detect data breaches, despite industry research to the contrary, according to a recent survey conducted by Dimensional Research and Oregon-based security management firm Tripwire.
When asked how quickly their organizations would detect a breach, 42 percent said it would take 48 hours, 18 percent said it would take 72 hours, and 11 percent said it would take a week, the survey said.
While 35 percent of respondents were “very confident” and 47 percent were “somewhat confident” that their security controls could detect rogue applications, most breaches go undiscovered for weeks, months or even longer, the research found.
The 2014 Trustwave Global Security Report reveals that the retail sector is the top target for cyber criminals, comprising 35 percent of the attacks studied with an average 229 days taken to detect a security breach.
The report also states that the number of firms that detected their own breaches dropped from 37 percent in 2012 to 33 percent in 2013. Some 85 percent of point-of-sale intrusions took weeks to discover, and 43 percent of web application attacks took months to detect.
The survey evaluated the attitudes of 154 retail organizations on a variety of cyber security topics.
“I always say that trust is not a control, and hope is not a strategy,” said Dwayne Melancon, chief technology officer for Tripwire. “Unfortunately, this data suggests that a lot of retailers are far too hopeful about their own cyber security capabilities.
Despite “ample historical evidence that most breaches go undiscovered for months,” he said, “There is clearly a significant disconnect between perception and reality, even though the repercussions for failing to meet the required level of rigor around cyber security has led to the recent removal of retail executives and board members.”
The survey also found that 70 percent of respondents said that the recent, nationally-reported Target security breach has affected the level of attention executives give to security in their organizations and that 26 percent of respondents don’t evaluate the security of business partners, such as HVAC contractors who were implicated in the Target breach.