A new report suggests retailers and other businesses need better controls to guard against intrusions.

Nine out of 10 data breaches that occurred in the first half of last year could have been avoided, according to a new report by the nonprofit Online Trust Alliance.

The report, which analyzed more than 1,000 breaches that involved personally identifiable information, found:

  • 40% of breaches stemmed from external intrusions;
  • 29% were caused by employees—either accidentally (such as an employee falling prey to a phishing attack) or maliciously—due to a lack of internal controls;
  • 18% stemmed from lost or stolen devices or documents;
  • 11% were the result of social engineering. (The percentages don’t add up to 100% due to rounding)

“Businesses are overwhelmed with the increasing risks and threats, yet they all too often fail to adopt security basics,” says Craig Spiezle, the OTA’s executive director and president. Had retailers and other businesses taken simple steps, most could have thwarted criminals’ attacks.

Here are some steps retailers and other businesses should take:

  • Maintain strict password policies for employees, such as requiring them to have unique passwords for external vendor systems and internal systems, as well as requiring users to enter one-time PINs to access sensitive accounts.
  • Put up a strong defense by using firewalls and keeping antivirus software up to date.
  • Test the system to find potential vulnerabilities that criminals might be able to exploit.
  • Continuously monitor the organization’s infrastructure and track who is accessing sensitive systems.
  • Put a data breach response plan in place so that everyone knows what to do in the case the system is breached.

Data breaches can do significant damage to retailers’ bottom lines. For instance, Target Corp. spent $236 million in breach-related expenses in the first half of last year after hackers penetrated its computer networks, an attack the retailer disclosed in the fourth quarter of 2013.


Breaches can also sully a brand’s reputation. 86.6% in a recent poll by contact center software provider Semafone say they are not likely to do business with a company that has experienced a data breach that resulted in the loss of payment card data.

To read more of about the online security threats retailers face, and how merchants like BrickHouse Security and Micro Center are fighting back, check out the September cover story “The war with no end” in the September 2014 issue of Internet Retailer magazine. Not a subscriber? Click here to sign up for a free subscription..