Everyone’s under pressure during the holiday season. But for security pros, it’s pressure of a different kind: keeping systems safe as they’re increasingly targeted.
Retailers have always faced unique threats during the holiday season. For one thing, customers flock to their sites and services, which make them a lucrative target for scammers and hackers, too.
And an influx of personnel to staff the companies also means potential insider threats – especially since so many of the employees know they’ll only be there seasonally.
How they deal with it
The 2016 Pre-Holiday Retail Cyber Risk Report, sponsored by Bay Dynamics, delves into the thinking among IT pros for retail organizations. It found a significant percentage (44%) said the holidays bring more pressure on the IT and security teams at retail industries.
One strategy many seem to be using: keeping access limited and supervision tighter on seasonal employees. According to the survey:
- 70% of companies put temporary employees through security awareness training
- only 36% of temporary employees are given their own log-in credentials for corporate systems, and
- 45% of IT pros said they know everything temporary employees do on their corporate systems (vs. only 34% for full-time employees).
Temporary employees were also given less access to customer databases that contain transaction info than full-time employees (24% vs. 84%), and less access to personally identifiable information (6% vs. 37%).
Every employee is a risk
There’s nothing wrong with being extra careful of the access you give to temporary employees and contractors, and in many ways it makes sense. But they are far from the only threats to your systems.
Most surveyed agreed that permanent employees present a higher risk to security. But whether that’s because of the restrictions placed on temporary employees wasn’t explored.
In general, though, limiting access to sensitive material is a good stance to have. Whether it’s through accidental disclosure or malicious insiders, the threats are much higher when access to sensitive information isn’t tightly controlled.