Retailers aren't doing enough to protect their data in the holiday season

Retailers believe they're doing a good job of protecting their sensitive data, but may in fact be ignoring major security holes.

This is among the findings of a retail risk report from threat protection company Bay Dynamics, based on a survey of IT decision makers in 125 large US retail organizations.

Problems include employees, particularly temporary seasonal staff, using shared accounts. While a majority of respondents say they know everything their permanent and temporary employees are doing on their corporate systems, 21 percent say their permanent retail floor workers and 61 percent say their temporary floor workers do not have unique login credentials for corporate systems. This means those workers are using shared accounts -- which include the same login credentials. As a result, IT and security teams don't know everything their employees are doing on their corporate systems.

More than a quarter of respondents said they don’t know if their temporary employees have ever accessed or sent data they shouldn't have. Also 37 percent of respondents say they can't identify which systems their temporary employees have accessed.

Almost half (47 percent) of respondents acknowledge that temporary workers are somewhat risky to their organization and more than a third view them as a high risk. 66 percent also view their permanent workers as somewhat risky.

In spite of these worries, the majority of retailers gave themselves a 6 or higher -- on a scale of 1 to 7, with 7 being the most proactive -- for identifying critical assets that must be protected, detecting theft or data leakage, and controlling employee access to critical assets.

The report concludes, "Decision makers may think they are securing the enterprise, but as our survey reflects that is not the case. In today's cybercrime era, where criminals are highly organized and will take extraordinary measure to commit crime -- whether that's landing a job as a temporary holiday worker simply to get access to a retailer's network or attacking the retailer through a third party vendor by posing as a legitimate vendor employee -- retailers need 100 percent visibility into what each employee and insider is doing when accessing key corporate systems and data assets".

The full report is available on the Bay Dynamics website.

Photo Credit: mtkang/Shutterstock