monsitj - Fotolia

Retail data breaches still high as GDPR deadline looms

As the EU’s General Data Protection Regulation compliance deadline approaches, retail data breaches remain unacceptably high, a data threat report reveals

More than eight out of 10 retailers consider themselves vulnerable to data threats, and 37% say they are “very” or “extremely” vulnerable, according to the 2017 Thales data threat report, retail edition.

The report, issued by security firm Thales in conjunction with 451 Research, reveals that 43% of retailers have experienced a data breach in the past year, and a third of those reported more than one breach.

As a result, nearly three-quarters of retailers expect their spending on IT security to increase, partly driven by increased regulation, such as the EU’s General Data Protection Regulation (GDPR).

According to the report, the increase in data protection regulation has led to greater awareness and concern around issues of data privacy and sovereignty, with 72% of retailers claiming to be affected.

For retailers, data means greater insights into customer behaviour, the ability to offer more personalised experiences, and the chance to upsell products successfully, but it can also mean a greater risk of security breaches, losing valuable customer information and tarnishing relationships and reputation.

“With tremendous sets of detailed customer behaviour and personal information in their custody, retailers are a prime target for hackers, so should look to invest more in data-centric protection,” said Peter Galvin, vice-president of strategy at Thales.

“As retailers dive head-first into new technologies, data security must be a top priority as they continue to pursue their digital transformation.”

The report reveals that, in an effort to comply with new data protection requirements, almost two-thirds of retailers (64%) are encrypting their data, 40% are tokenising it, and 36% are implementing a migration project.

According to the report, half of retail organisations (52%) will use sensitive data in a big data environment in 2017, with a third using encryption to protect that data. However, 39% said they were “very concerned” about using these environments without proper security in place.

Read more about retail cyber threats

The report also found that as adoption of cloud and software-as-a-service (SaaS) environments continues to rise, so too do concerns about their safe use. For example, two-thirds of retailers claimed to be “very” or “extremely” concerned about cloud service providers (CSPs) falling victim to security breaches or attacks.

A similar proportion (66%) expressed concern about vulnerabilities in shared infrastructure, and 65% were worried about the custodianship of the encryption keys used to protect their data. But 63% of respondents suggested such fears could be allayed by using data encryption in the cloud, with keys being controlled at the retailer’s premises, while half (52%) preferred CSPs to control the keys.

Garrett Bekker, principal analyst for information security at 451 Research, said the 43% of retail respondents that had reported a breach in the past year alone was nearly twice the global average. “These distressing breach rates serve as stark proof that data on any system can be attacked and compromised,” he said.

Unfortunately, said Bekker, organisations keep spending on the same security technology that worked for them in the past, but is not necessarily the most effective at stopping modern breaches.

The report said it is “troubling” that attitudes, as well as security strategies, do not appear to be keeping up with many emerging threats.

In the Global edition of the Thales 2017 data threat report, nearly two-thirds (63%) of respondents said their organisations deploy new technologies such as cloud, big data, internet of things (IoT) and containers before having the security in place to protect them.

In the retail sector, that figure is even more sobering, soaring to 80% in global retail organisations, the report said.

The report said retail organisations that are interested in improving their overall security postures should strongly consider:

  • Deploying security toolsets that offer services-based deployments, platforms and automation.
  • Discovering and classifying the location of sensitive data within cloud, SaaS, big data, IoT and container environments.
  • Using encryption and bring your own [encryption] key (BYOK) technologies.

Read more on Privacy and data protection

Data Center
Data Management