Deloitte Consumer Business Security Survey

January 31, 2008

Deloitte & Touche LLP, the business advisory firm, announced on 31 January details of a survey looking at security in the consumer business industry. Key findings from the survey reveal 80% of companies do not have an information security strategy formally defined and 86% have never performed an inventory to understand where their data is stored and how it is managed.

Andy Morris, consumer business partner at Deloitte & Touche, comments:
‘Retail companies are holding greater and greater amounts of customer data – from purchasing patterns recorded on customer loyalty cards, to financial information from credit cards. Whilst this helps sales and marketing and can deliver valuable market and customer intelligence, it may also increase vulnerability to data theft. This vulnerability is reflected in the top concern highlighted by the sector, with 73% of businesses listing unauthorised access to personal information as the top concern from a privacy and reputational perspective.Worryingly however, despite legislation and standards such as the Data Protection Act and the Payment Card Industry Data Security Standard (PCI DSS), only 13% of businesses had performed an inventory of personal and cardholder data – the first step in protecting data. Just 40% of respondents had written privacy, fair information practices or data collection policies in place and only 13% have a programme for managing privacy compliance. Consumer businesses must first make certain that these basic building blocks are in place in order to ensure the safety of customer data.’

Mike Maddison, UK Head of Security and Privacy at Deloitte, said: ‘Most companies surveyed have taken the basic steps by identifying a security manager and putting in place the basic security protective measures, but they have not reached the level of maturity we see in other industries. Only 20% of consumer business respondents have a formally defined information security strategy. This is well below the 54% reported in Deloitte’s 2007 Technology Media & Telecommunications Security Survey and 63% reported in Deloitte’s 2007 Global Financial Services Security Survey. Media coverage of lost or stolen customer data and other security breaches has raised consumer awareness of these issues to an all time high. Reassuringly, this report shows that consumer businesses are beginning to make security a priority, with 93% of security managers now reporting to the executive. This is important: in order to safeguard their reputations companies need to be confident that they are doing everything they can to protect their customers data, implementing a security programme that reduces the risk of systems being compromised.’

Morris added: ‘The shift in motive for computer crimes – from demonstrating skills to profit – has increased both the sophistication of and the damage done by attacks. The consumer business industry must recognise the fact that it is vital to have a solid security programme in place in order to combat the increasing risks associated with breaches, be they from internal or external sources. Managing such risks requires flexibility and is as much about people and culture as process and technology.’

You can read the full report via this link.