Large chunks of the retail sector, which is holding increasingly large databases of consumer details, do not have formal IT security systems in place, a study by Deloitte has found.
The research found that 80% of companies do not have an information security strategy formally defined and 86% have never performed an inventory to understand where their data is stored and how it is managed.
After the HM Revenue & Customs lost child benefit discs crisis and the IT security issues at SocGen, the lack of controls at consumer businesses will come as shock to consumers.
'Retail companies are holding greater and greater amounts of customer data – from purchasing patterns recorded on customer loyalty cards, to financial information from credit cards. Whilst this helps sales and marketing and can deliver valuable market and customer intelligence, it may also increase vulnerability to data theft,' Andy Morris, consumer business partner at Deloitte said.
Morris added: 'Worryingly, despite legislation and standards such as the Data Protection Act and the Payment Card Industry Data Security Standard (PCI DSS), only 13% of businesses had performed an inventory of personal and cardholder data - the first step in protecting data.'
Other striking findings in the report were that only 20% of consumer business respondents had a formally defined information security strategy.
This was well below the 54% reported in Deloitte's 2007 IT survey of the telecoms and media industry and the 63% reported in the firm's poll of the financial services sector.
Further reading:
Comments