A new survey found that employees at online retailers were being watched more closely.
A new survey found that employees at online retailers were being watched more closely.

Just in time for the biggest online shopping day of the year, Cyber Monday, a new study was released that examines cyber risks online retailers face from their employees, whether permanent or contracted.

The "2016 Pre-Holiday Retail Cyber Risk Report," the second annual retail risk report from Bay Dynamics, a New York-based specialist in cyber risk predictive analytics, found that cybersecurity is no longer viewed as a "seasonal" priority. More than half (56 percent) of those queried for the study said they do not feel more pressure during this hectic time to secure their organizations. The implication is that the pressure is year-round, the study found.

For the study, conducted in October 2016 by Osterman Research, nearly 150 IT and security professionals managing the cyber risk and security programs at retail organizations were asked what information their permanent, temporary and contract employees have access to and how these workers handle the information. Participants were also asked about their capabilities of observing employee behaviors and how quickly they patch vulnerabilities.

Employees are being watched more closely, the study found, particularly when compared to last year's survey results. There was a four-fold jump (from seven percent to 30 percent) over last year's findings in the number of IT and security pros who responded that their permanent employees accessed and/or sent sensitive data they should not have accessed and/or sent. At the same time, the study determined that there was a significant decrease (from 14 percent to five percent) in the number of IT and security professionals who said they were not sure if their permanent employees accessed and/or sent sensitive data they should not have accessed and/or sent.

There were positive findings regarding temporary workers. Nearly two-thirds of respondents (64 percent) said temporary workers at their companies are not given accounts, indicating they also don't have access to sensitive information. Of the 36 percent of IT pros who do provide accounts for their temp workers, the study found they are doing a better job at monitoring those workers, with only 12 percent of respondents saying they have little to no visibility into what their temp employees are accessing on the enterprise network.

Another positive result from the study was that access to sensitive personal information is limited. A mere six percent of survey respondents said their temp workers have visibility into personally identifiable information (PII), while 13 percent said their contractors can access PII. The implication, the study reported, was that retailers are limiting access to their most sensitive information.

When comparing last year's retail cyber risk report to the study released on Monday, Ryan Stolte, co-founder and CTO at Bay Dynamics, said the data shows a significant improvement in how retail organizations are prioritizing cyber risk and security. The IT security pros responding to the survey, he said, view cybersecurity as a year-round commitment and therefore are limiting access to sensitive information for those workers who do not have their own accounts. 

"This report shows that retailers are significantly getting better at securing their organizations," Stolte told SC Media on Monday. "They are treating cybersecurity as a year-round priority versus solely a seasonal commitment. They have more visibility into what their employees are doing on their networks, especially those who have access to sensitive information." 

Employees who use shared accounts have limited access to sensitive information which is a positive step since shared accounts are more easily exploitable, he added, pointing out that when the results are compared against last year's study, there's been "a vast improvement in how retailers are treating cybersecurity."

It seems that IT and security professionals are more aware of what they need to do to protect their customers' information, Stolte told SC. However, he added, there's still room for improvement. 

"All IT and security professionals should be committed to securing their organizations year-round," he said. "They all should limit employees' access to sensitive information to only those who need access to do their jobs. And, all of those employees should be monitored around the clock."

Additionally, he said, all employees who access sensitive information should be given unique login credentials. "Security awareness training should not be a once a year, multi-hour, across the board event. It should be targeted to employees who violate security policies and focused on the policies violated. While the statistics in our report show a major improvement, the overall percentages of those who are doing the right things are still low."

The overall takeaway from the report, he said, is one of hope. "It seems that retailers are stepping up to the cybersecurity plate and are not only concerned about selling their products. They seem to understand that it's more important to do the right thing, and protect their customers' valuable information, versus operating insecurely to make a profit."