Retailers optimising transactions but forsaking security this holiday season
According to figures released today by IMRG* (the UK’s industry association for e-retail) almost half of e-retailers expect sales growth to reach over 20% year-on-year in the run-up to Christmas. All this good news belies the fact that many retailers are relying on security practices that ‘Old Saint Nick’ would describe as naughty.
Next Friday (dubbed Black Friday) is the traditional kick-start to festive trading, but it is also when many retailers will ‘freeze’ critical transaction and other supporting systems so as not to risk outages from patches and updates.
David Schreiber, Tenable Network Security said: “At this time of year many merchants are operating in production freeze. The focus for IT teams is on uptime, performance, throughput and availability – optimising retail transactions. Patching and other security-related updates get pushed to the back burner.
“Major vendors like Oracle, IBM, Cisco, Microsoft, Red Hat, Google, Apple and Adobe together will announce hundreds of vulnerabilities in Q4 2014. And, if the last two years are any indication, there will be hundreds more in January. This implies that there are lots of merchants running their businesses on vulnerable systems.
“Security is a daily habit, not just an annual compliance validation. Changing security habits from naughty to nice requires time, effort, vigilance, investment in comprehensive security solutions, continuous monitoring, employee training, and attitude adjustments. It’s a major investment, but well worth the expense when compared to the cost of recovering from a major breach.”
To help shed some light on security issues that may arise this holiday season, Tenable created an infographic titled ‘are the security practices of retailers naughty or nice this holiday season?’ (available on request). Drawing on data from a variety of sources such as IBM, PwC, comScore, and the Verizon 2014 PCI Compliance Report, this infographic highlights some issues associated with PCI compliance (‘Payment Card Industry Data Security Standard.’)
For example:
– The overall rate of PCI compliance is only 11.1%
– Compliance with PCI Requirement 11 (which covers the regular vulnerability scanning and penetration testing of processes, applications, and networks) is only 40%
– Nearly 87% of merchants experiencing breaches were not compliant