Retailers have a hearty sense of confidence when it comes to how quickly their organizations would detect a data breach, especially one that targets sensitive payment information, finds a survey from Tripwire Inc., a data-security company.
In the survey of 154 retail organizations, 60% said their systems could detect a data breach within 72 hours. Only 11% said the detection would happen within a week, while 7% said within a month. Just 1% said it would take three months, and 20% had no confidence detection would happen quickly.
The survey also found that 35% were very confident in their ability to detect rogue applications; 47% were somewhat confident; and 18% not confident at all.
That confidence may not be warranted in some cases, says Dwayne Melancon, Tripwire chief technology officer. Portland, Ore.-based Tripwire cites the 2014 Verizon Data Breach Investigations Report that found it took weeks to detect 85% of the point-of-sale breaches in the report. And in the Mandiant 2014 Threat Report, the median time a threat existed on a network before detection was 229 days in 2103.
“Retailers are over-confident for a few reasons,” Melancon says. “First, they are ‘doing PCI,’ which makes them feel secure. After all, it is touted as a security standard, right?” Organizations that handle payments must meet the Payment Card Industry data-security standard (PCI) set forth by the PCI Security Standards Council.
“Second, many of them have made significant investments in security technologies and services,” he says. “The challenge is that security needs to be more than a collection of technologies and services. It is an interlocking system. Organizations often gain disproportionate levels of confidence in their security capabilities, based on silo-oriented actions they take rather than the verified strength of their overall security capabilities. Retailers are no different in this regard.”
His take on retailer attitudes likely is not out of place, suggests Beth Robertson, an independent payments consultant in Baltimore. “What I see from the data is that while retailers’ senior management may be giving security more attention since the Target breach, there is still concern that practices that are in place may be insufficient to prevent breaches,” Robertson says. Few retailers could ignore the Target breach, she says. Awareness of other breaches, such as one disclosed earlier this month at P.F. Chang’s China Bistro Inc., may train management’s attention on data security, she says.
Indeed, Tripwire found 70% of respondents said the Target breach affected the level of attention executives give to security. Online retailers, at 57%, were less affected by the breach, because they do not handle card-present transactions, Melancon says.
But, complacency is part of human nature, Robertson says. “There may be a need to update PCI compliance-audit practices to alter them from a point-in-time annual event and enable them to more readily address the ongoing evolution of fraud.”