It is almost impossible not to be painfully aware of the security challenges facing major retailers. In just the past few days the Target data breach grew in scope and level of malevolence, and upscale retailer Neiman Marcus revealed it also has been under attack. There is also the rampant speculation in the security industry that these revelations are actually just the tip of the iceberg, and more large retailers are in the bad guy cross-hairs. 

With the problems of the large retailers hogging the headlines, lest we forget, no retail enterprise of any size is immune from having proprietary customer and transactional data compromised. In fact, as the headline of this article indicates, a new survey from Sunnyvale, CA-based security solutions provider Fortinet, finds that one in five U.S. small and medium businesses (SMBs) in the retailing sector are not even PCI compliant and lack security fundamentals.

If ever there was a wake-up call for retailing SMBs to take a serious look at not just becoming more educated and enhancing security, the survey also pointed to the growing interest in onboarding retailing analytics to better understand and assess customer data and buying decisions.

Time for SMBs to decrease vulnerabilities

The Fortinet survey—based on interviews with 100 U.S.-based SMB retail organizations with less than 1,000 employees—highlights where SMBs stand in regards to compliance regulations, security policies and new technologies that help manage big data and security infrastructure.  Along with the sobering news there are also some encouraging findings.

Highlights from the survey include some not so great news:

• While a majority of retailers are aware of an increasingly complex threat and regulatory environment and are applying best security practices and compliance policies, 22 percent of respondents are not PCI DSS compliant, and an additional 14 percent don’t know if they are PCI compliant or not.
• 55 percent are unaware of their state’s security breach requirements, and 40 percent lack any established policy adhering to those requirements. This creates the potential for regulatory compliance violations.
• The survey also found that many SMBs fail to employ strong security practices, such as policies  to enforce password security. Fortinet says this puts them at risk for brute-force attacks, data breaches and regulatory violations.

It almost goes without saying that if bad actors were to exploit the vulnerabilities of those without strong, never mind basic, security solutions and policies, the damage could be catastrophic.  SMBs are hardly in a position to withstand the resulting regulatory fines, litigation and the damage to their reputation.  In fact, on the last point, the prospect of bad reviews going viral should be reason enough to appreciate the old adage that, “an ounce of prevention is worth a pound of cure.”   

On the encouraging side of things, the survey did register inquisitiveness about new technologies that provide better customer insights.  It found that more than half of SMB retailers are looking to onboard retail analytics to help them understand purchasing trends and customer behavior in the store. Fortinet, based on its solutions portfolio also inquired about customer interest in next generation security solutions that provide combined physical and network capabilities in a single appliance that could increase visibility, ease management problems and help be proactive as well as reactive in mitigating risks, and would reduce IT costs. 

On this front, they found a receptive audience with almost half of respondents saying they were familiar with the technology and either currently use it or plan to do so.

A little more granularity on security—improving, but a ways to go

Fortinet delved a little deeper into SMB security issues regarding the increasingly valuable/invaluable area of Wi-Fi. Again this is good news and indications of a need to improve practices.  Findings included:

• 15 percent of retailers offering free guest Wi-Fi fail to enforce any kind of security policy thereby exposing customers to potential malware, while increasing the risk of infection for a retail network that is not properly segmented.  
• Encouragingly, 60 percent of SMB retailers have password protections and enforce them regularly. 
• Discouragingly, 40 percent don’t require their employees to change their password at least once a year.
• Also not up to best practice snuff is that SMB retailers are lax when it comes to disposing sensitive data – leaving bad actors a way to get at customer proprietary data.  59 percent of those surveyed said they have a data disposal policy in place, 29 percent lack any established data disposal plan, while 12 percent are completely unaware of their organization’s data disposal policy.

A look ahead, what SMB retailers are looking for

There are a few other insights of note from the survey.

• 80 percent of respondents want to see physical security infrastructure, such as video cameras, DVRs, and alarm systems, housed in a single device that also manages network security mechanisms such as firewall, VPN, anti-virus and Web application firewall.  
• 53 percent said they are managing and maintaining their own security infrastructure on-site.
• 18 percent now also rely on a managed security services provider (MSSP) to augment their security defenses
• 29 percent want to move more security functions to a third party managed service provider.

There was also significant interest (59 percent) in retail analytics that can utilize Wi-Fi enabled smartphones to capture shoppers’ data. Of that 59 percent, 75 percent are either actively utilizing these analytics or have a strong interest in them. Interestingly, only 25 percent say that would not use such capabilities because they believe it is an intrusion on their customers’ privacy.

 “This survey was eye-opening for us. Despite looming threats and stiff compliance penalties, more than a fifth of SMB retailers are still not PCI compliant, while many are falling short of security best practices like password safety,” said Patrick Bedwell, vice president of product marketing for Fortinet. “The survey also confirmed that – as with larger retailers – SMBs have a strong interest in big-data analytics, as well as standalone products that incorporate both network and physical security capabilities within a single appliance. Our new connected UTM appliances with Power over Ethernet are certainly a step in that direction in that they allow a business to manage multiple PoE devices through our FortiGate interface. These solutions can include, but are not limited to, PoS devices, IP phones, IP cameras, wireless access points and digital signage.” 

While admittedly anecdotal to some degree because of the sample size used in the survey, this is not to minimize the messages it highlights for SMB retailers and vendors in the space.  The first is that when it comes to security size does not matter. The protection of customer and company data is just as if not more important for SMB retailers as it is for large enterprises.  Second, the SMB retailer is an under-served market in terms of providing retailers more actionable insights about their in store customers.  And, while an activity where proceeding on capturing more and more information needs to be done with caution. However, as part of efforts by SMB retailers to improve their customer experiences and use that as differentiated value in their competition with bigger entities, this is an area of interest for SMBs and opportunity for vendors.