One in five SME retailers not PCI compliant, lack security fundamentals
Fortinet, a global leader in high-performance network security, published new research that shows where SME retailers stand in regards to compliance regulations, security policies and new technologies that help manage big data and security infrastructure.
Based on findings from an independent US-based survey, of 100 SME retail organisations with less than 1 000 employees, the survey revealed a majority of retailers are aware of an increasingly complex threat and regulatory environment and are applying best security practices and compliance policies to keep safe. However, more than one in five retailers (22%) are not PCI DSS compliant, and an additional 14% don't know if they are PCI compliant or not.
Additionally, more than half (55%) of surveyed retailers are unaware of their state's security breach requirements, while 40% lack any established policy adhering to those requirements. This gap creates the potential for regulatory compliance violations if data is compromised, resulting in loss of customer data, financial penalties, litigation and damage to brand and reputation.
Further survey results show that many SMEs fail to employ strong security practices, such as policies to enforce password security, which puts them at risk for brute-force attacks, data breaches and regulatory violations.
With regards to looking ahead at new and innovative technologies, more than half of SME retailers are looking to onboard retail analytics to help them understand purchasing trends and customer behaviour in the store. And with an eye towards IT consolidation and cost reduction, a vast majority of SME retailers would be interested in products that are able to combine both physical and network security functions in a single appliance.
Security improving, but holes exist
Fundamental security best practices continue to represent another major challenge for SME retailers. Consumers may want to think twice about jumping on a free public wireless network. According to the survey, 15% of retailers offering free guest WiFi fail to enforce any kind of security policy, such as blocking unacceptable content, malicious Web sites or malware. This is a deficiency that exposes guests to potential malware, while increasing the risk of infection for a retail network that is not properly segmented.
Optimistically, 60% of SME retailers have password protections and enforce them regularly. However, 40% of retailers don't require their employees to change their password at least once a year, which dramatically increases their risk of data loss.
Meanwhile, many SME retailers are lax when it comes to disposing sensitive data – a shortcoming that potentially exposes consumer information to identity thieves. While almost three-fifths (59%) of SME retailers said they have a data disposal policy in place, 29% lack any established data disposal plan, while 12% are completely unaware of their organisation's data disposal policy.
Retailers consider new ways to manage security, customer data
The survey indicated that SME retailers are looking at new ways to streamline multiple security solutions to reduce costs and simplify management.
Congruent with consolidation trends, 80% of retailers want to see physical security infrastructure, such as video cameras, DVRs, and alarm systems, housed in a single device that also manages network security mechanisms such as firewall, VPN, anti-virus and Web application firewall.
Managing security is also changing. Fifty-three percent of retailers said they are managing and maintaining their own security infrastructure on-site. However, 18% of retailers are now also relying on a managed security services provider (MSSP) to augment their security defences, while another 29% are looking to move more security functions to a third-party managed service provider.
Like many other industries, retailers are exploring the opportunities around retail analytics in order to better understand, assess and influence visitor behaviour and directly target customers with promotions and deals. A significant majority (59%) of respondents state they are familiar with retail analytics that can utilise WiFi-enabled smartphones to capture shoppers' data. Of that 59%, 75% of respondents are either actively utilising these analytics solutions or have a strong interest in them. Only a remaining 25% say they are reluctant to use this type of technology out of respect for their customers' privacy.
The survey also indicated that SME retailers would be more likely to consider retail analytics if they were more knowledgeable about the technology. Of the 41% that said they are unfamiliar with retail analytics, almost half (49%) express that they would like to someday use the technology.
"This survey was eye-opening for us. Despite looming threats and stiff compliance penalties, more than a fifth of SME retailers are still not PCI compliant, while many are falling short of security best practices like password safety," said Patrick Bedwell, vice-president of product marketing for Fortinet. "The survey also confirmed that – as with larger retailers – SMEs have a strong interest in big-data analytics, as well as standalone products that incorporate both network and physical security capabilities within a single appliance. Our new connected UTM appliances with Power over Ethernet are certainly a step in that direction in that they allow a business to manage multiple POE devices through our FortiGate interface. These solutions can include, but are not limited to, POS devices, IP phones, IP cameras, wireless access points and digital signage."
Research for the SMB Retail and Security Survey was conducted by GMI, a division of Lightspeed Research, a leading provider of technology-enabled solutions and online responses for global market research. Each survey respondent claimed to have knowledge of their company's business network, payment systems, and information security policies. Additionally, respondents were limited to those who use credit or debit card transaction as their primary means of accepting payments.