Retailers are unaware of sensitive data leaks

A significant amount of retailers assign the same login credentials to employees and do not know if employees have leaked sensitive data – in spite of the majority claiming full confidence that their sensitive information is sufficiently protected.

“As our report shows, retailers have a false sense of confidence when it comes to securing their sensitive information. They think they are doing a great job when in reality, there are gaping holes,” said Ryan Stolte, CTO at Bay Dynamics. “For example, many retailers claim they know everything their employees are doing on their networks yet a significant amount assign shared accounts meaning they have zero visibility into what their individual employees are actually doing on the inside.”

The Bay Dynamics report is based on a survey conducted in November 2015 by Osterman Research, asking US-based IT decision makers working at 125 retail organizations with at least 2,000 employees about the cybersecurity risks employees, both temporary and permanent, pose to their organizations.

Highlights include:

Employees are using shared accounts: While a majority or half (62% and 50% respectively) of respondents said they know everything their permanent and temporary employees are doing on their corporate systems, 21% said permanent retail floor workers and 61% said temporary floor workers do not have unique login credentials for corporate systems.

Access unknown: 37% of respondents said they cannot identify which systems their temporary employees have accessed.

Do not know if sensitive data is being leaked: More than a quarter of respondents said they don’t know if their temporary employees have ever accessed and/or sent data they should not have accessed or sent.

Acknowledge all employees pose a security risk: Almost half (47%) of respondents said temporary workers are somewhat risky to their organization and more than a third view them as a high risk. The majority (66%) also view permanent workers as somewhat risky.

False sense of confidence: In spite of the data listed above, on a scale of 1 to 7, with 7 being the most proactive, the majority of retailers (80% or higher) gave themselves a 6 or higher when it comes to identifying critical assets that must be protected, detecting theft or data leakage, and controlling employee access to critical assets.

“Retail organizations, especially during the holiday season, continue to promote a culture that focuses on keeping the lights on,” said Michael Osterman, Principal Analyst at Osterman Research Inc. “Security is overlooked and that needs to change. Criminals will do whatever it takes to get inside whether that’s landing a job as a temporary employee during the holiday season or exploiting an employee from afar. To thwart their efforts, retailers need full visibility into what employees are doing on their network or otherwise risk getting breached.”