Nearly three-quarters of retail businesses lack a fully tested breach response plan

Published: Thursday, 07 December 2017 10:00

Dimensional Research recently surveyed IT security professionals working in retail organizations about their experiences and attitudes towards factors affecting IT security. The results found that a large majority are not fully prepared for data breaches.

Of the respondents, only 28 percent of respondents said they have a fully tested plan in place in the event of a security breach. 21 percent said their organization doesn't have a plan at all, and the same proportion of respondents said they didn't have the means to notify customers of a data breach within 72 hours, a requirement specified by the General Data Protection Regulation (GDPR).

“Considering the amount of high-profile data breaches that have occurred recently, plus the continued discussion around GDPR, it is surprising and concerning that many retailers do not have a tested plan in the event of a security breach,” said Tim Erlin, vice president of product management and strategy at Tripwire, the company that commissioned the survey. “It’s encouraging that most respondents think they can meet the 72-hour notification window as set out in the upcoming GDPR, but if they haven’t tested their plans, I don’t know how confident they should be in that assumption.”

Not all the survey's findings were discouraging, however. The results did provide some hope that the industry is moving in the right direction. More than half of respondents (57 percent) said that their organization’s ability to detect and respond to a security breach has improved in the past year and a half.

A total of 103 qualified participants from the retail industry completed the survey. All participants had responsibility for IT security as a significant part of their job and worked at companies with more than 100 employees.

www.tripwire.com