Last year, the big breach hitting the scene during the holiday season was aimed at Sony. In 2013, it was Target. The question now is, as holiday shoppers hit their favorite spots this year, are retailers more prepared in the event of a cyberattack? Security experts say: Sort of.
One thing that is definitely clear is that with all of the breaches in recent years, awareness is now at an all-time high.
“The Target breach, in particular, was a wake-up call for the sector ... and we’ve seen a lot of response since then,” said Stephen Boyer, founder and chief technology officer at BitSight. “I don’t think you can claim ignorance anymore.”
Bitsight offers a security ratings platform, and in its research comparing the security performance of multiple industries, retail ranked second only to finance, with a score of 700 out of a possible 900 on the BitSight ranking (the finance industry scored 710). The next closest sector was technology, with a score of 680. Boyer said that ranking is “encouraging.”
“We’re seeing general performance improvements [in retail] across the board,” Boyer said. “Awareness is high and it’s definitely become a board-level issue. We’re starting to see and hear that they’re taking it much more seriously,” he said.
Jeff Schmidt, CEO and founder of JAS Global Advisors, a security consultancy based in Chicago, said he is “cautiously optimistic” when it comes to retail security this holiday season. Schmidt said he has seen the sector make a lot of improvements, including security investments overall and those specifically around chip-and-pin cards.
“[Retail companies have] gotten better. These are really big, complicated companies and nobody is going to be perfect yet, but they’ve gotten better,” Schmidt said.
The impact of a breach on a retailer is very real, with a recent Accenture survey finding that 12 percent of loyal customers won’t return to a retailer after a data breach. A larger number, 36 percent, will slow their shopping with the retailer, the report said. So far in 2015, there have been nine reported data breaches in the retail and merchant sector, according to the Privacy Rights Clearinghouse. That includes breaches at CVS Pharmacy, Starbucks, Sally Beauty Supply, Toys “R” Us and more. That compares with 43 reported breaches in 2014, most notably Staples and Home Depot.
The holiday season, in particular, is a critical time for testing the strength of security systems, as it is by far the busiest time of the year for most retailers, said Ajay Arora, CEO and co-founder of Vera. That means not only that retailers are both distracted with keeping their systems up and running during an influx of business, but also that hackers are more likely to save their best attacks when lucrative credit card and personal information records flood into the systems, Arora said. Schmidt added that an influx of temporary talent during the holiday season could also complicate things, as those workers tend to have less training and less commitment to the company.