PCI compliance has been an increased focus for retailers in recent years, in an era where cyberattacks are at an all-time high. But a new report from Bothell, Wash.-based security awareness trainer MediaPro has found that despite this, retail remains the most-attacked industry sector, with companies in this arena suffering 43 percent of all phishing attacks during the last six months of 2016.
Just under one-third (29 percent) of retail employees actually are well prepared to deal with cyber threats, while the rest exhibit behaviors that put their organizations at risk of a privacy or security incident, according to “Beyond PCI Compliance: 2017 Privacy and Security Awareness in Retail.” This should be cause for concern for grocers, as 84 percent of shoppers would change their shopping habits if their favorite store were hit by a data breach, and nearly half (49 percent) said they would be unlikely ot continue business with a retailer if a breach of compromised personal information occurred.
Neglect for cybersecurity is displayed in numerous areas: 17 percent of retail employees took risks when it came to storing sensitive company information, such as inappropriately sending company data using their personal e-mail or saving it via personal cloud-based storage. Further, 34 percent exhibited risky behavior when asked about best practices for remote and mobile computing.
Malware also is a concern, as one-quarter (25 percent) of employees failed to report a sluggish computer as a potential clue that their system might be infected. Meanwhile, 12 percent couldn’t identify the warning signs that malware had infected their computer.
But even outside the cyberrealm, a surprising number of employees proved that they can't recognize a threat. For instance, 14 percent of employees failed to report an unsecured file cabinet containing sensitive personnel files. And almost half (47 percent) said they would hold the door open for someone who appeared to work for their company, even if they lacked identification.
More key findings included:
- 60 percent of employees chose to discard a potential password hint in an unsecure manner.
- 26 percent of employees thought it is acceptable to use a personal USB drive to transfer work documents when working remotely.
- 16 percent of employees said they’d take potentially risky actions related to their company on social media, such as posting about a yet-to-be-released new offering.
- 8 percent of employees – low, but still alarming – proved to be a risk when it came to correctly identifying phishing e-mail attempts.
“The results of this survey strongly suggest retailers need to rethink cybersecurity and data privacy as matters of overall risk management, not just check-the-box compliance based on PCI standards alone,” the report explained. “Retailers limit their employee education to PCI training at their own risk, as threats to an organization’s financial and reputational wellbeing exist beyond the typical coverage of this training. This means a well-thought-out and expertly sourced approach to comprehensive employee education is critical to success.”