The firms assessed the security of about 400 organizations, including 35 midsize to large retail enterprises. Using a rating system that measured the organizations' security against various industry standards, the survey found that the retail firms scored about 20 percent lower on average than other industries.
The categories of security where retail scored well below other industries were policy, planning, and monitoring, Hugh Voigt, president and CEO of Espiria, said in an interview. In planning, retail scored about 33 percent lower.
Executive management at retail have lower security goals than other industries tracked in the study, he said.
There are several reasons why retail lags when it comes to IT security, said Chris Noell, vice president of business development at Solutionary.
Unlike financial services, it has not been regulated. Also, retail companies tend to be distributed across many locations and have a lot of overturn in labor, making it difficult to implement to enforce security policies, he said.
"Retail hasn't seen itself as a target [for attackers]," Noell added. "That was probably valid five to ten years ago. Now they are very much in the bullseye. They have this credit card data and a lot of it, making them a big target."
Noell credits a joint effort by Visa and MasterCard - the Payment Card Industry (PCI) Data Security Standard - for helping raise awareness about security in the retail industry. PCI outlines requirements for protecting cardholder data.
Voigt recommended that retail firms ensure that they develop programs that improve their IT security for the long haul - not just work through a check-off list.