Retailers are losing the battle against IT security threats
because most have no strategy for their long term defence and
merely respond to incidents, says a report from management
consultancy
Deloittes.
"Consumer businesses have a tactical rather than a strategic
approach to security," the company said. "This means they do not
develop the foresight that allows them to deal with issues before
they become problems."
The survey of managers responsible for IT security in consumer
businesses such as retailers and consumer goods companies found 80%
had no clear IT security strategy, but 93% had appointed someone to
take responsibility for it.
All had installed anti-virus, firewall and similar products.
Despite them regarding spyware and phishing attacks as their
greatest threats, 73% were deploying anti-spyware tools, and only
27% had anti-phishing tools.
Business continuity was high on the priority list, but 82% had
not tested their back-up plans.
Two out of three firms were using compliance with the
Data
Protection Act and the
Payment Card
Industry's Data Security Standard (PCI:DSS) to drive their IT
security plans.
However, only one-third of respondents were planning to comply
fully, but 80% of those who also trade online aimed to comply. They
expected compliance to cost between £250,000 and £500,000, and 60%
expected it to be "highly disruptive" to the business.
Despite being aware of the importance of protecting personal
data, only 13% had established what data they held, where they held
it, and how it was transmitted and used. Only 40% had written
policies on privacy, fair information practices, and data
collection, and only 13% had a process for managing privacy
compliance.
Box
Top threats
Virus/worm outbreaks
Spyware
Phishing/pharming
Email attacks
Staff misconduct
Top counter-measures
Beef up security infrastructure
Improve security governance
Comply with security regulations
Secure applications
Develop and execute a security strategy