Taking Stock: Consumer Business Security Survey
Deloitte report shows 80% of consumer businesses do not have a defined information security strategy
Deloitte, the business advisory firm, has today announced details of a survey looking at security in the consumer business industry. Key findings from the survey reveal 80% of companies do not have an information security strategy formally defined and 86% have never performed an inventory to understand where their data is stored and how it is transmitted.
Andy Morris, consumer business partner, comments:
“Retail companies are holding greater and greater amounts of customer data – from purchasing patterns recorded on customer loyalty cards, to financial information from credit cards. Whilst this helps sales and marketing and can deliver valuable market and customer intelligence, it may also increase vulnerability to data theft. This vulnerability is reflected in the top concern highlighted by the sector, with 73% of businesses listing unauthorised access to personal information as the top concern from a privacy and reputational perspective.
“Worryingly however, despite legislation and standards such as the Data Protection Act and the Payment Card Industry Data Security Standard (PCI DSS), only 13% of businesses had performed an inventory of personal and cardholder data - the first step in protecting data. Just 40% of respondents had written privacy, fair information practices or data collection policies in place and only 13% have a programme for managing privacy compliance. Consumer businesses must first make certain that these basic building blocks are in place in order to ensure the safety of customer data.
Mike Maddison, UK Head of Security and Privacy at Deloitte, said: “Most companies surveyed have taken the basic steps by identifying a security manager and putting in place the basic security protective measures, but they have not reached the level of maturity we see in other industries. Only 20% of consumer business respondents have a formally defined information security strategy. This is well below the 54% reported in Deloitte's 2007 Technology Media & Telecommunications Security Survey and 63% reported in Deloitte's 2007 Global Financial Services Security Survey.
“Media coverage of lost or stolen customer data and other security breaches has raised consumer awareness of these issues to an all time high. Reassuringly, this report shows that consumer businesses are beginning to make security a priority, with 93% of security managers now reporting to the executive. This is important: in order to safeguard their reputations companies need to be confident that they are doing everything they can to protect their customers data, implementing a security programme that reduces the risk of systems being compromised.
Morris added: “The shift in motive for computer crimes - from demonstrating skills to profit - has increased both the sophistication of and the damage done by attacks. The consumer business industry must recognise the fact that it is vital to have a solid security programme in place in order to combat the increasing risks associated with breaches, be they from internal or external sources. Managing such risks requires flexibility and is as much about people and culture as process and technology.”
Notes for editors
For more information read our executive summary and download our 2007 Consumer Business Security Survey
In this press release references to Deloitte are references to Deloitte & Touche LLP which is among the country’s leading professional services firms, providing audit, tax, consulting and corporate finance services. Deloitte & Touche LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu (‘DTT’), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other’s omissions. Services are provided by member firms or their subsidiaries and not by DTT. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority. The information contained in this press release is correct at the time of going to press.