Nearly a fifth of shoppers would avoid at a retailer that has been a victim of a cybersecurity hack, according to a survey.
The 2016 KPMG Consumer Loss Barometer report surveyed 448 consumers in the U.S. and found that 19% would abandon a retailer entirely over a hack. Another 33% said that fears their personal information would be exposed would keep them from shopping at the breached retailer for more than three months.
The study also looked at 100 cybersecurity executives and found that 55% said they haven't spent money on cybersecurity in the past yearand 42% said their company didn't have a leader in charge of information security.
Those responses confirmed worries that retailers are falling behind other industries like financial services and technology on cybersecurity issues.
"There is a lot at stake here for retailers," Mark Larson, KPMG business leader for consumer markets, said in a statement. "Retailers that don't make cybersecurity a strategic imperative are taking a big gamble."
Tony Buffomante, cybersecurity leader for KPMG, said many retailers are not doing enough to protect their businesses from cyberattacks or react to them when they do occur. Paying more attention to cybersecurity could help their businesses, he added.
The survey results, posted Tuesday online, found that retail and automotive industries were laggards in appointing leaders to assess cyberthreats and opportunities. The financial services and tech industries were leaders.
Cyberattacks were also called "rampant" in the survey, showing that retail executives reported the most malware and internal and botnet attacks of the four industries (financial services, tech, retail and automotive).
KPMG advised companies to think about cybersecurity less as an IT-managed risk and more as a strategy issue. "Branding, loyalty, sales, overall customer relationships and business agility all hang in the balance," KPMG said.
The survey findings and KPMG's conclusions echo other surveys and comments by analysts who have called on businesses generally to focus more squarely on cybersecurity protections.