Study: Majority of retailers lack data breach response plan
Cyber-criminals will be on the hunt this holiday season, yet a majority of retailers are not fully prepared for potential data breaches.
Only 28% of retailers said they have a fully tested plan in place in the event of a security breach. Meanwhile, 21% said their organization doesn't have a plan at all, or the means to notify customers of a data breach within 72 hours (21%) — a requirement specified by the General Data Protection Regulation (GDPR), according to a new study from Tripwire.
Only a small minority of the retail industry feels fully secure in their incident response capabilities. Twenty-three percent of respondents said they were "fully prepared" to absorb potential financial penalties. Even fewer professionals (15%) said they were fully prepared to manage customer and press communications following an incident.
“Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” said Tim Erlin, VP of product management and strategy at Tripwire. “It’s encouraging that most respondents think they can meet the 72-hour notification window as set out in the upcoming GDPR, but if they haven’t tested their plans, I don’t know how confident they should be in that assumption.”
The study results did provide some hope that the industry is moving in the right direction. More than half of respondents (57%) said that their organization’s ability to detect and respond to a security breach has improved in the past year and a half.
With the holiday season in full swing, organizations should make sure they have proper security safeguards in place. For example, there are a number of effective and established security control frameworks available to guide organizations. Implementing even the most basic security controls can go a long way in improving an organization’s security posture, the study revealed.
Only 28% of retailers said they have a fully tested plan in place in the event of a security breach. Meanwhile, 21% said their organization doesn't have a plan at all, or the means to notify customers of a data breach within 72 hours (21%) — a requirement specified by the General Data Protection Regulation (GDPR), according to a new study from Tripwire.
Only a small minority of the retail industry feels fully secure in their incident response capabilities. Twenty-three percent of respondents said they were "fully prepared" to absorb potential financial penalties. Even fewer professionals (15%) said they were fully prepared to manage customer and press communications following an incident.
“Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” said Tim Erlin, VP of product management and strategy at Tripwire. “It’s encouraging that most respondents think they can meet the 72-hour notification window as set out in the upcoming GDPR, but if they haven’t tested their plans, I don’t know how confident they should be in that assumption.”
The study results did provide some hope that the industry is moving in the right direction. More than half of respondents (57%) said that their organization’s ability to detect and respond to a security breach has improved in the past year and a half.
With the holiday season in full swing, organizations should make sure they have proper security safeguards in place. For example, there are a number of effective and established security control frameworks available to guide organizations. Implementing even the most basic security controls can go a long way in improving an organization’s security posture, the study revealed.