According to the latest cybersecurity report from Osterman Research, retail industry cybersecurity risk is being seriously underestimated. There is false confidence in cybersecurity protections, and the risk of consumer and business data being exposed is considerable.

Assessing retail industry cybersecurity risk

The retail industry cybersecurity risk assessment was conducted on 125 large retailers during the month of November. The report indicates that even though security vulnerabilities have been identified, the retail industry is not taking the necessary steps to deal with those risks.

Many security holes remain unplugged. In particular, risks associated with temporary workers are not being dealt with. Retailers bring in temporary workers at busy times such as in the run up to Christmas. However, they are introducing a considerable amount of risk when the do so because they are not monitoring the activity of those workers effectively. Many actually believe they are – which is even more worrying.

Temporary workers are often provided with login credentials which are shared instead of giving each temporary worker a separate login. This eases the administrative burden on the IT department. Why create hundreds of new logins that will only be required for a short period of time? Simply give those workers low level privileges and any risk that is introduced will be minimal. Unfortunately, that may not necessarily be the case.

The study showed that 61% of temporary retail floor workers were using shared logins. It is not known whether this is a short cut taken and the risk is known, or whether retailers are unaware of the dangers that the activity involves. Even temporary workers must be given access to some data assets, yet it is impossible for some retailers to identify assets that each of those workers are accessing.

Furthermore, it is not only temporary workers that are being allowed to share login credentials. 21% of permanent workers are also sharing their login credentials.

Retail industry cybersecurity risk is being seriously underestimated

The research indicates that 62% of retailers believe they know everything their permanent workers are doing, and 50% claimed to know what data their temporary workers are accessing. Worryingly, when asked if their IT departments can identify specific systems that individual permanent employees have accessed, 92% said they could. This is clearly not the case in reality.

The study indicated that 70% of retailers gave access to corporate systems to permanent members of retail floor staff. 7% said that permanent workers had accessed systems they were not supposed to and 3% said temporary workers had done the same.

Those figures may actually be much higher as 14% of respondents didn’t know if their permanent workers had inappropriately accessed data. 26% couldn’t tell if their temporary workers were accessing data they shouldn’t. Given the potential gains to be made from gaining access to retail networks, criminals may even be tempted to take a holiday job simply to access to retail systems.

Security awareness training is also not being provided frequently enough. 60% of respondents only conducted training once or twice a year. If workers are not being kept abreast of the retail industry cybersecurity risk, they will not be able to take action to reduce that risk.

Even with the major data breaches and cyberattacks that have recently been suffered by major U.S. retailers, security vulnerabilities persist. Unfortunately, it would appear that retail IT professionals actually appear to believe they are doing a good job. If the measure of how well retail industry cybersecurity risk is being managed is whether or not a retailer has suffered a major data breach, then the industry is in pretty good shape. Unfortunately for the retail industry, if risk is not effectively managed, data breaches are likely to be suffered sooner rather than later.