Majority of Retailers Lack Fully-Tested Breach Response Plan

Majority of Retailers Lack Fully-Tested Breach Response Plan

Nearly three-quarters of retailers lack a fully-tested breach response plan, according to new findings from Tripwire.

With the busy festive shopping period in full swing the firm surveyed IT security pros working in retail organizations, discovering that a large majority are not prepared for data breaches this holiday season.

Of the 103 pros polled, just 28% said they had a comprehensively tested plan in place for dealing with a breach, whilst 21% said their company didn’t have one at all. Almost a quarter felt they were “fully prepared” to deal with potential financial penalties with just 15% primed to manage customer and press communications post-incident.

What’s more, 21% also admitted they lack the means to notify customers of a breach within 72 hours, something that will be of concern considering the specified requirement to do so as part of the General Data Protection Regulation (GDPR) come May 2018.

“Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” said Tim Erlin, vice-president of product management and strategy at Tripwire.

On a more positive note, 57% of respondents believed their organization’s capability to detect and respond to data breaches had improved in the past 18 months, suggesting there is hope that the retail industry is moving in the right direction in terms of data security.

“It’s really critical that organizations have a good view of what’s on their network at all times, that they harden their systems with secure configuration and vulnerability management, and that they are able to continuously monitor for change and are alerted to any drift outside the established security and compliance policies”, added Erlin.

Source: Information Security Magazine