Small- and mid-sized retailers aren't keeping up with the technologies they need to ensure customer data security and compliance, according to a new survey.
The study, commissioned by network security developer Fortinet, looked at how these SMBs stand in regards to compliance regulations, security policies and new technologies that help manage big data and security infrastructure.
Based on findings from an independent U.S.-based survey of 100 SMB retail organizations with less than 1,000 employees, the survey revealed that a majority of retailers are aware of an increasingly complex threat and regulatory environment and are applying best security practices and compliance policies to keep safe. However, more than one in five retailers (22 percent) are not PCI DSS compliant, and an additional 14 percent don't know if they are PCI compliant or not.
Additionally, more than half (55 percent) of surveyed retailers are unaware of their state's security breach requirements, while 40 percent lack any established policy adhering to those requirements. This gap creates the potential for regulatory compliance violations if data is compromised, resulting in loss of customer data, financial penalties, litigation and damage to brand and reputation.
Further survey results show that many SMBs fail to employ strong security practices, such as policies to enforce password security, which puts them at risk for brute-force attacks, data breaches and regulatory violations.
With regards to looking ahead at new and innovative technologies, more than half of SMB retailers are looking to onboard retail analytics to help them understand purchasing trends and customer behavior in the store. And with an eye towards IT consolidation and cost reduction, a vast majority of SMB retailers would be interested in products that are able to combine both physical and network security functions in a single appliance.
Security Improving, but Holes Exist
Fundamental security best practices continue to represent another major challenge for SMB retailers. Consumers may want to think twice about jumping on a free public wireless network. According to the survey, 15 percent of retailers offering free guest Wi-Fi fail to enforce any kind of security policy, such as blocking unacceptable content, malicious Websites or malware. This is a deficiency that exposes guests to potential malware, while increasing the risk of infection for a retail network that is not properly segmented.
Optimistically, 60 percent of SMB retailers have password protections and enforce them regularly. However, 40 percent of retailers don't require their employees to change their password at least once a year, which dramatically increases their risk of data loss.
Meanwhile, many SMB retailers are lax when it comes to disposing sensitive data -- a shortcoming that potentially exposes consumer information to identity thieves. While almost three fifths (59 percent) of SMB retailers said they have a data disposal policy in place, 29 percent lack any established data disposal plan, while 12 percent are completely unaware of their organization's data disposal policy.
Retailers Consider New Ways to Manage Security, Customer Data
The survey indicated that SMB retailers are looking at new ways to streamline multiple security solutions to reduce costs and simplify management.
Congruent with consolidation trends, 80 percent of retailers want to see physical security infrastructure, such as video cameras, DVRs, and alarm systems, housed in a single device that also manages network security mechanisms such as firewall, VPN, anti-virus and Web application firewall.
Managing security is also changing. 53 percent of retailers said they are managing and maintaining their own security infrastructure on-site. However, 18 percent of retailers are now also relying on a managed security services provider (MSSP) to augment their security defenses, while another 29 percent are looking to move more security functions to a third party managed service provider.
Like many other industries, retailers are exploring the opportunities around retail analytics in order to better understand, assess and influence visitor behavior and directly target customers with promotions and deals. A significant majority (59 percent) of respondents state that they are familiar with retail analytics that can utilize Wi-Fi enabled smartphones to capture shoppers' data. Of that 59 percent, 75 percent of respondents are either actively utilizing these analytics solutions or have a strong interest in them. Only a remaining 25 percent say that they are reluctant to use this type of technology out of respect for their customers' privacy.
The survey also indicated that SMB retailers would be more likely to consider retail analytics if they were more knowledgeable about the technology. Of the 41 percent that said they are unfamiliar with retail analytics, almost half (49 percent) express that they would like to someday use the technology.
"This survey was eye-opening for us. Despite looming threats and stiff compliance penalties, more than a fifth of SMB retailers are still not PCI compliant, while many are falling short of security best practices like password safety," said Patrick Bedwell, vice president of product marketing for Fortinet. "The survey also confirmed that -- as with larger retailers -- SMBs have a strong interest in big-data analytics, as well as standalone products that incorporate both network and physical security capabilities within a single appliance. Our new connected UTM appliances with Power over Ethernet are certainly a step in that direction in that they allow a business to manage multiple PoE devices through our FortiGate interface. These solutions can include, but are not limited to, PoS devices, IP phones, IP cameras, wireless access points and digital signage."
Research for the SMB Retail and Security Survey was conducted by GMI, a division of Lightspeed Research, a leading provider of technology enabled solutions and online responses for global market research. Each survey respondent claimed to have knowledge of their company's business network, payment systems, and information security policies. Additionally, respondents were limited to those who use credit or debit card transaction as their primary means of accepting payments.