AThales announces the results of its 2019 Thales Data Threat Report – Retail Edition. According to the study, with research and analysis from IDC, U.S. retailers continue to be under siege as nearly two thirds (62%) reported ever experiencing a data breach and over a third (37%) indicating they were breached in the past year. This high rate of data breaches comes amidst a decline in the rate of growth in security spending. Less than two thirds (62%) said that they were increasing spending this year compared to 84% last year,even as nearly all (96%) of the retailers surveyed claimed they use sensitive data within digitally transformative environments. As both brick-and-mortar and online retailers continue to evolve, the industry remains a vulnerable target as a result of digital transformation and the disadvantage of being at the crossroad where mobile payments and personal information meet.
“Retailers have a deep well of customer data that includes what people buy, what they’re interested in, shopping habits, how they’re using mobile apps and more,” said Leslie Hand, GVP of retail insights, IDC. “When this data is coupled with the payment information retailers also collect, you’ve got a perfect storm that creates very lucrative opportunities for cybercriminals. Securing data in this environment is increasingly complicated and retail organizations must be vigilant in protecting against new security loopholes.”
Breach rate worsens as retailers aggressively adopt digitally transformative technologies
Today, more U.S. retailers are on the leading edge of digital transformation with 42% saying they are either aggressively disrupting the markets in which they participate or are embedding digital capabilities that enable greater organizational agility. While digital transformation offers benefits to consumers and retailers alike, it also exposes a gap between leaders in retail and those that are encumbered by legacy technology environments. Even retailers with deeper pockets or that are born in the cloud must apply security architectures across older infrastructures while simultaneously rolling out new cloud-based, digitally transformative technologies. The end result is that retailers need smarter, better ways to approach data security, and to implement modern, hybrid, and multi-cloud oriented technologies.
The implementation of new technologies continues to raise the potential of putting sensitive customer data at risk. In addition, retailers face an ever-expanding threat environment with top concerns including cyberterrorism (55%), hacktivists (50%), and internal, privileged users (47%). Interestingly, cyber criminals were not a top concern despite the high number of data breaches in the past year.
“Retailers know they’re vulnerable to data breaches, yet the report shows that IT security spending isn’t properly aligned with the risks they face,” said Tina Stewart, vice president market strategy for cloud protection and licensing activity at Thales. “With brand reputation and trust on the line, remediation after a breach occurs is far too late. Retail organizations should place the same level of value on data security as they do on the products and services they sell. Additionally, whether ‘born in the cloud’ or just starting to move to the cloud, their overall security stance has to remain strong as digital transformation continues.”
The impact of the cloud in retail
The report found that multi-cloud environments make protecting sensitive data even more complex for retailers. In fact, cloud use with sensitive data is extremely high. An astounding 69% of respondents have 26 or more Software-as-a-Service (SaaS) applications, while more than half have three or more Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) applications. Driven by the need to protect digital transformation’s complex data environments, 40% rated complexity as the top barrier to deploying data security.
Data regulations affect nearly all retailers
Retailers face a vast array of national, global and industry-wide privacy and compliance regulations such as the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS). In fact, the report found that nearly all (92%) of those surveyed will be affected by data privacy and sovereignty regulations. Yet, just over half (56%) of respondents will use encryption or tokenization to meet these requirements.