Retailers are losing the battle against IT security threats because most have no strategy for their long term defence and merely respond to incidents, says a report from management consultancy Deloittes.
"Consumer businesses have a tactical rather than a strategic approach to security," the company said. "This means they do not develop the foresight that allows them to deal with issues before they become problems."
The survey of managers responsible for IT security in consumer businesses such as retailers and consumer goods companies found 80% had no clear IT security strategy, but 93% had appointed someone to take responsibility for it.
All had installed anti-virus, firewall and similar products. Despite them regarding spyware and phishing attacks as their greatest threats, 73% were deploying anti-spyware tools, and only 27% had anti-phishing tools.
Business continuity was high on the priority list, but 82% had not tested their back-up plans.
However, only one-third of respondents were planning to comply fully, but 80% of those who also trade online aimed to comply. They expected compliance to cost between £250,000 and £500,000, and 60% expected it to be "highly disruptive" to the business.
Despite being aware of the importance of protecting personal data, only 13% had established what data they held, where they held it, and how it was transmitted and used. Only 40% had written policies on privacy, fair information practices, and data collection, and only 13% had a process for managing privacy compliance.
Beef up security infrastructure
Improve security governance
Comply with security regulations
Develop and execute a security strategy