Skip to content ↓ | Skip to navigation ↓

Coronavirus 2019 (COVID-19) stopped many things in 2020. While in-store holiday shopping may be greatly reduced for some, there’s still a lot of shopping happening online. Near the end of November 2020, Statista revealed that holiday retail sales were expected to grow approximately 3.6% over the previous year. And Adobe Analytics reported that online sales would likely rise 33% to a record $189 billion. CNBC clarified that this number condenses two years’ worth of economic growth into one holiday season.

These projections raise an important question: are retail organizations prepared to meet the security challenges that could accompany the growth and the changes 2020 has imposed on shopping behavior?

To explore this, Tripwire commissioned Dimensional Research to survey 203 security professionals working in the retail industry. The study specifically asked respondents about the state of their employers’ digital security programs and how they have adapted to this year’s particular challenges.

Their answers help to illuminate how COVID-19 has shaped the retail industry’s IT security precautions for the holidays.

COVID-19 Spurs Greater Security Investments

A majority (78%) of security professionals working in the retail industry told Tripwire that their organization’s IT security team had taken additional precautions for the 2020 holiday season. This rate was evenly split at 39% between those who had implemented slightly more controls and those who had enacted significantly more measures ahead of the holidays.

Most of these additional security precautions traced back to the pandemic, Tripwire found. More than a third (35%) of survey participants indicated that COVID-19 was entirely responsible for their retailer’s additional security investments leading up to the 2020 holiday season. Just 13% said that the pandemic had not affected investments.

“It’s clear that COVID is driving changes in how retail organizations think about the holiday season. They’re starting earlier and expecting increased volume, along with increased risk. With fewer people in the stores, there will be more online shopping. More online shopping means more of the risks that go along with it, including attacks on both consumers and retailers themselves.”

Tim Erlin, VP of product management & strategy at Tripwire.

These additional security investments took on various forms. Three quarters of respondents said that their employers had invested in additional tools or technology. Slightly fewer than that (69%) revealed that their employers had updated processes, followed by the implementation of additional training at 65% of surveyed organizations.

About half (51%) of respondents said that their retailer organizations had increased their use of managed services, while 39% noted that their employers had hired additional employees or contractors.

This last security precaution is especially significant in light of the ongoing digital security skills gap. Back in February 2020, Tripwire announced the findings of another survey it conducted with Dimensional Research. That study illuminated the fact that 83% of security experts felt more overworked going into 2020 than they did the previous year.

Approximately the same percentages of respondents went on to note that their organizations’ security teams were understaffed and that it had become more difficult over the past few years to hire skilled infosec talent at 82% and 85%, respectively.

Heightened Security Challenges Meet with Fatter Security Budgets

The changes described above highlight the extent to which IT security became more difficult in 2020. Over half (56%) of respondents told Dimensional Research that they faced extra obstacles in fulfilling their organizations’ security efforts as a result of COVID-19. About the same percentage (57%) said the same thing about growth in online shopping.

Fortunately, the majority of organizations recognized these challenges and gave their security teams the budget they needed to address them. In fact, 82% of respondents said that their employers’ overall security budget increased at least slightly over the course of 2020. These investments enabled organizations to cultivate best practices and security controls mandated by industry frameworks and regulations:

  • More than three-fifths (61%) of respondents reported that their ability to detect and respond to a security breach had improved since the previous year.
  • About a third (32%) of survey participants characterized their company’s data protection capabilities as “excellent.” That’s a 19% increase over 2017. Even more than that (38%) said their employers’ competencies were “good.”
  • Compared to 2017, the percentage of organizations discovering IT assets automatically increased from 85% to 97% in 2020.
  • The percentage of organizations detecting configuration changes within minutes or hours similarly increased from 55% in 2017 to 64% three years later.
  • Lastly, Dimensional Research found that four out of five organizations had strengthened their vulnerability management capabilities to address their security weaknesses within the span of at most a month.

The heavier security budgets enabled organizations to make some other changes, as well. Indeed, 63% of survey respondents told Dimensional Research that their organization’s IT security team had begun preparing for the holiday shopping season earlier in 2020 than in years past. Those efforts included compliance commitments around PCI, GPDR and others, with about half (51%) of survey participants admitting that their organizations routinely increase their compliance work leading up to the holidays.

Looking Ahead to the Future

As the threat landscape continues to evolve, retail organizations need to make sure that they have the ability to protect payment and customer information as well as secure their Point-Of-Sale (POS) environments. They also need to make sure they’re maintaining their compliance with the PCI Data Security Standard along the way. Learn how Tripwire can help with all of these efforts and more.

Download the full survey report to learn what cybersecurity professionals in the retail space are doing in terms of:

  • Process updates
  • Tools and technology
  • Configuration management
  • Vulnerability management
  • Additional training
  • Managed services

Get your copy, here: