The Latest Sophos News
Product and Solution Information, Press Releases, Announcements
72 percent of UK retailers not ‘Cyber Secure’ in lead up to Christmas | |
Posted: Thu Dec 11, 2014 03:00:29 PM | |
OXFORD, UK – December 11 2014: Sophos today announced the results of its 2014 Retail Security Barometer, revealing worrying gaps in cyber security and data protection across UK retailers during the busiest shopping period of the year. The research, conducted for Sophos by Opinium, investigated the attitudes of 250 UK retail IT decision makers towards cyber security and consumer data protection. It reveals that there is a significant gap between the perceived level of security held by UK retailers, and the level of security that is physically in place at retail establishments across the nation. The research demonstrates that despite being aware of the increasing risks associated with cyber security and the implications a breach can have on both consumers and their own brand, retailers aren’t imposing the correct level of IT security or ensuring sufficient training is in place for sales staff to help stop credit card fraud and the theft of sensitive customer information, such as bank details and email addresses. According to James Lyne, Global Head of Research, Sophos: “We’re now in the midst of the busiest time of the year for the retailers, so shops must ensure they have appropriate measures in place to prevent cyber crime . As recent data breaches show , it is critical that retailers protect customer data both from exposure in the public domain and from being quietly used in the background. Cyber criminals have clearly demonstrated systematic compromise of such organisations, it is clear that they are high on their priority list” The research reveals significant overconfidence in the retail sector, with 87 per cent of UK retailers confident that they have adequate security in place to protect customer data, and 86 per cent confident that they are able to protect their general network from the malicious malware used by hackers to steal business and customer data. However, the research also indicates that while confidence among retailers is high, in reality the vast majority – 72 percent – have not implemented fundamental security required to safeguard both business and customer data. The lack of basic encryption capabilities, designed to protect business and customer data at a very basic level, highlights a significant and worrying gap in the cyber security strategies of UK retailers. The majority of retailers acknowledge that they rely primarily on barebones protection, such as firewalls (77 percent) and anti-virus (33 percent). The emphasis on perimeter protection like firewalls can be compared with closing the door of your house while leaving your windows open. And even those that rely on securing the perimeter do not defend their networks in depth, with only 31% indicating they have network protection beyond a firewall and only 2% having comprehensive unified threat management capability in place. “In the lead up to Christmas, we can expect to see an increase in data breaches if retailers continue not taking the necessary steps to secure customer data,” said Mr Lyne. “For an industry responsible for holding and safeguarding so much sensitive customer data, it’s worrying to see the level of over confidence and lack of awareness surrounding cyber security. This needs to be rectified if we are to adequately protect UK consumers. What amazes me is how often the breaches are the result of incredibly simple failures of policy, training or technology and not the result of cyber criminals being particularly clever.” Statistics at a Glance:
Even fewer – 48 per cent – of those who haven’t previously been compromised have plans in place to enhance the security of their IT systems “It won’t happen to me…” – The Ostrich Effect The research reveals that the ‘Ostrich Effect’ is firmly in place as the UK retail sector continues to bury its head in the sand when it comes to cyber security. In addition to the 72 per cent that admit to not having basic cyber security capabilities, half of retailers also have no contingency plans in place to deal with a data breach if they do fall victim to malicious hacking.
Email Address & Credit Card Vulnerability The research found that email addresses were the most common form of data to be stolen. Credit card details were the second most popular form of cyber theft across UK retailers.
Top 6 retail threats and what to do about them Good security is simple security, so there are a few basic steps that retailers can take to drastically improve their security.
Action: Ensure you have effective endpoint, network and email protection that filters out spam, malware and dangerous file types. In addition, train employees to be suspicious of emails, especially those that contain attachments, and to report any unusual emails or attachment behaviour to IT.
Action: Consider a patch assessment tool to ensure your operating system and applications are up to date with the latest security fixes. Most exploit kits see success due to exploits in software for which a patch is already available and just has not been deployed. And install endpoint protection software and/or a secure web gateway that can identify and block exploit kits before they infect your systems.
Action: Consider segregating your networks with next-gen firewalls that treat your internal departments as potentially hostile to each other, rather than having one big "inside" fenced off from the even bigger "outside." And put in place a device control strategy to identify and control the use of removable storage devices – not only does this prevent bad stuff getting in, with data loss prevention DLP, but it can also help stop personally identifiable information (PII) and intellectual property (IP) data from going out. Finally, implement full disk protection and encrypt sensitive data stored on servers or removable media for sharing with business partners.
Action: Consider implementing your own remote access service using a virtual private network (VPN) and requiring everyone to use two-factor authentication. Do a review of your purchase requirements and vendors with your procurement team if you have a more sizeable infrastructure.
Action: Consider web filtering and a next-gen firewall with command-and-control traffic detection. This isn't as good as blocking the malware before it runs but it can neutralise (and will draw attention to) malware that would otherwise make off with your crown jewels. Numerous breaches this year would have been detected and thwarted far sooner with this in place.
Action: Use Application Control to keep track of, and restrict, unnecessary software that reduces security without adding any needed benefit. Periodic reviews of builds and expected configuration will also help drift or organic changes leaving you open at some point in the future. |