The survey, conducted by the Ponemon Institute and sponsored by Tripwire, found that the most recent version of the PCI DSS, 3.0, will soon require businesses to implement and perform penetration testing. In addition, PCI DSS 3.0 will also clarify different methods of secure authentication and session management so businesses can better protect themselves against man-in-the-middle, man-in-the-browser and other similar cyber-attack methods.
However, companies in the retail sector have a long way to go to achieve compliance. Only 41% of the vertical uses penetration testing to identify security risks, and just 34% of those companies measure the reduction in access and authentication violations to assess risk management efforts. In addition, only 44% of the retail sector has fully or partially deployed file integrity monitoring.
The results come against a sobering backdrop: the retail industry is now the top target for cybercriminals, accounting for 45% of security firm Trustwave’s data breach investigations last year (a 15% increase from 2011).
There is hope, however, given a rising level of commitment to turn these numbers around. “Although these survey results don’t reflect it, the retail industry is very focused on PCI 3.0 compliance,” said Michael Thelander, director of product management for Tripwire. That’s because the majority of respondents in the broader survey of all enterprises – a whopping 81% in the US and 77% in the UK – stated that their organization has a significant or very significant commitment to risk-based security management.
In comparison, last year only 73% of respondents in the US and 67% in the UK had the same level of commitment. “We view this increase as a positive sign of broader acceptance of the benefits of risk-based security management”, the survey reads.
The biggest business drivers for risk-based security management programs across all enterprises in the US are the protection of intellectual property (88%) and the minimization of non-compliance (78%). Decreasing costs and operational efficiencies (77%) and maximizing employee productivity (71%) are also important program objectives.
In the UK, minimizing non-compliance (86%) is the top driver – perhaps due to the highly regulated environment in the country – but the protection of intellectual property is nearly as important (85%). Decreasing costs and operational efficiencies (69%) and maximizing employee productivity (63%) are also strong drivers for UK risk-based security management programs.
Deployment of these programs is, however, “snails-paced,” Ponemon noted, as improvements in commitment to risk-based security management haven’t translated to a wider acceptance for a strategic approach to risk management among organizations.
About half of the respondents (47% in the US and 51% in the UK) have no risk-based security management program, or if they have a program, have not deployed most of the program’s activities.
Nearly half of the respondents describe their risk-based security management approach or strategy as ‘non-existent’ or ‘ad hoc’ (46% US and 48% UK) In contrast, only 29% (US) and 27% (UK) have a risk-based security management strategy applied consistently across the enterprise.
In the retail sector in particular, the issue is tied to management oversight and awareness. A majority (62%) of IT professionals in the retail sector say that negative facts about security risks are filtered before being communicated with senior executives.
Given all of this, the good news is that risk management deployment should begin to grow in the next year or two.
“On the whole, organizations are making slow progress with deployment of risk-based security management strategies and programs,” the report concluded. “Given the increase in organizational commitment and the understanding that risk-based security management can align security with key business, organizations appear poised to make more significant strides over the next 12 to 18 months.”