Retailers need to step up IT security, says Deloitte

Retailers are losing the battle against IT security threats because most have no strategy for their long term defence and merely respond to incidents, says a report from management consultancy Deloittes.

"Consumer businesses have a tactical rather than a strategic approach to security," the company said. "This means they do not develop the foresight that allows them to deal with issues before they become problems."

The survey of managers responsible for IT security in consumer businesses such as retailers and consumer goods companies found 80% had no clear IT security strategy, but 93% had appointed someone to take responsibility for it.

All had installed anti-virus, firewall and similar products. Despite them regarding spyware and phishing attacks as their greatest threats, 73% were deploying anti-spyware tools, and only 27% had anti-phishing tools.

Business continuity was high on the priority list, but 82% had not tested their back-up plans.

Two out of three firms were using compliance with the Data Protection Act and the Payment Card Industry's Data Security Standard (PCI:DSS) to drive their IT security plans.

However, only one-third of respondents were planning to comply fully, but 80% of those who also trade online aimed to comply. They expected compliance to cost between £250,000 and £500,000, and 60% expected it to be "highly disruptive" to the business.

Despite being aware of the importance of protecting personal data, only 13% had established what data they held, where they held it, and how it was transmitted and used. Only 40% had written policies on privacy, fair information practices, and data collection, and only 13% had a process for managing privacy compliance.

Box

Top threats

Virus/worm outbreaks

Spyware

Phishing/pharming

Email attacks

Staff misconduct

Top counter-measures

Beef up security infrastructure

Improve security governance

Comply with security regulations

Secure applications

Develop and execute a security strategy