News Releases3 min read

2015 Point-of-Sale Security Assessment Finds Awareness and Budgets Rising but Reliance on Antivirus Putting Data at Risk

Businesses are beginning to acknowledge increased risk of breach, but are they investing wisely?

LONG BEACH, Calif.—June 23, 2015—Bit9® + Carbon Black®, the leader in endpoint threat prevention, detection and response, today announced the results of its 2015 Mid-year Point-of-Sale (POS) Security Health Assessment from the National Retail Federation’s 2015 PROTECT Conference & Expo in Long Beach, Calif. The assessment found that the majority of organizations have increased their POS security budgets during the last two years, but many of them are still using and investing in outdated technologies, such as antivirus.

The health assessment, which polled 150 U.S. organizations with revenues of at least $250 million in various verticals (with a focus on retail) found:

  • 63 percent of organizations have increased their security budgets over the last two years, many of them as a direct result of publicized breaches.
  • 94 percent of organizations are running antivirus on all of their POS devices but one in four of those companies (26 percent) feels that antivirus does not adequately protect their POS systems.
  • One in four organizations (25 percent) that reported an increase in their security budget continued to invest in antivirus technology.
  • Only 38 percent of businesses have detected malware on their POS systems during the last two years.
  • Only 39 percent of businesses are using breach detection software.
  • More than half (52 percent) of organizations are still running the unsupported Windows XP on their POS devices.

POS systems include a range of hardware devices, such as card readers, scales, scanners, and registers, as well as the software needed to operate them. Increasingly, sophisticated POS systems are linked to inventory management, ordering, and customer relationship management applications. POS systems make it possible for retailers to conduct transactions—most often with credit cards—quickly and easily, providing a smooth and enjoyable customer experience.

The real value in POS systems to hackers is in their financial transactions—specifically the credit card numbers and other personally identifiable information (PII) they process and store. When POS systems are attacked, the price tag for affected businesses can be enormous.

“It’s shocking that even when they have more budget to spend in the fight against malware so many organizations continue to spend it on antivirus, which cannot see or stop today’s advanced threats and targeted attacks,” said Chris Strand PCIP, senior director of compliance and governance for Bit9 + Carbon Black. “It’s no secret that we’re seeing an increase in the number and type of attacks against organizations that use point-of-sale devices. The good news is that more organizations are aware of this and are increasing their budgets. But the fact that only 38 percent of organizations have detected malware on their POS systems during the past two years is a major red flag and points to the ineffectiveness of AV.”

When Target was attacked, numerous media reports noted that none of the market’s antivirus solutions could (or did) detect the type of POS malware used in the attack. In fact, even a few weeks after the initial disclosure it was noted that signature-based AV was unable to detect the POS Trojan.

“The surge in POS malware and an increase in POS security budgets would suggest that organizations should be able to detect more malware in their environments,” Strand said. “More detection is a good thing. The ability to see what is potentially attacking an organization is a critical first step in an effective security posture. Many organizations, according to the results of our health assessment, do not have that visibility.”

Free Webinar on POS Security
On Friday, June 26 at 1:00 p.m. EDT, join Chris Strand for a free webinar discussing the results of the 2015 Mid-year Point-of-Sale (POS) Security Health Assessment. Click here to register.

About Bit9 + Carbon Black
Bit9 + Carbon Black provides the most complete solution against advanced threats that target organizations’ endpoints and servers, making it easier to see—and immediately stop—those threats. The company enables organizations to arm their endpoints by combining continuous, real-time visibility into what’s happening on every computer; real-time signature-less threat detection; incident response that combines a recorded history with live remediation; and prevention that is proactive and customizable. More than 1,000 organizations worldwide—from Fortune 100 companies to small enterprises—use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services.

Bit9 and Carbon Black are registered trademarks of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.