Online shopping is definitely growing, but new-found concerns about cyber security may be making consumers more cautious as they hunt for internet bargains this holiday season.

A recent survey by Deloitte Canada found that four out of five online shoppers were worried about the security of their personal data when shopping.

Almost half — 48.5 per cent — said they've become more cautious when they shop online, something that will be at the forefront today when consumers look for deals during the retail marketing blitz of Cyber Monday.

The survey findings, based on online interviews with 2,019 Canadians in late September, and included in Deloitte's 2014 holiday retail outlook, were unexpected.

The extent of the consumer wariness and how it could affect shopping habits this season "did come across as one of the highlights and perhaps as a surprise," says Ryan Brain, a partner and national consumer business leader at Deloitte Canada.

High profile data breaches at retailers such as Target and Home Depot — even though they may not have affected many Canadian shoppers directly — appear to have cast a shadow over online shopping.

"Shoppers are losing their patience … with some of these challenges that have emerged, so it's a more sensitive topic and one that retailers need to pay attention to," says Brain.

Deloitte's survey didn't touch on exactly how online consumers might exercise caution. But Brain thinks it could mean they will go to sites that are more trusted, and to larger companies, rather than unknown online retailers.

'Evolving threat'

Target Canada says its customers have "moved on" from the breach that saw credit card or personal information of more than 100 million customers compromised in U.S. stores a year ago.

Target shopping baskets

Target Canada says its customers have 'moved on' from the breach that saw credit card or personal information of millions of customers compromised in U.S. stores a year ago. (Charles Rex Arbogast/Associated Press)

No Canadian stores were affected, but Canadian customers who shopped in American stores between Nov. 27 and Dec. 15, 2013, may have been. The company offered them free credit monitoring.

"We all recognize that cybercrime is an evolving threat and is something we all need to work together on across the public and private sectors," says Target Canada spokeswoman Molly Snyder.

Nearly five months after the incident, Target announced "updates on security enhancements."

But the breach took its toll: the company reported costs associated with it of $148 million in the second quarter of 2014.

Chester Wisniewski, a senior security adviser at Sophos Canada, a computer security firm, wasn't surprised consumers are being influenced by the lax security at retail outlets and says they are "certainly justified in being concerned about how big business is treating our information."

And he doesn't mince words when he considers just how big business is getting along doing that. "It's been terrible."

The essence of the problem lies in "just not taking computer security seriously enough at most levels of their organizations," he says. "They lag behind in investing in security to protect consumer information."

Who is more secure?

Businesses would, however, argue they have taken action.

'It's about taking the appropriate actions and sometimes those things have an impact on convenience.' - Chester Wisniewski

"They would tell you about some budget they have and how much money they spent, and it's not about spending money," says Wisniewski. "It's about taking the appropriate actions and sometimes those things have an impact on convenience."

There's also a shortage of people in the computer security industry, he says, and a hangover from the 2008 economic downturn has meant companies haven't spent money replacing technology, such as cash registers, as was scheduled.

Even though Target and Home Depot have talked up security enhancements since their breaches, it's still hard for consumers to know how safe their data is with any retailer.

"As a consumer, if I want to shop at Target or Wal-Mart and I want to be more secure, which one is more secure?" says David Skillicorn, a professor in the school of computing at Queen's University in Kingston, Ont.

"I have no way of telling. That's absolutely no information that anyone could get."

Skillicorn says there's no "silver bullet" that will make cyber systems completely secure, but there are measures companies can take.

"First of all, they need to make sure that their IT people actually have the ear of senior management and that they don't shunt IT off into a little side thing."

Don't click on strange emails

Employees also need to be trained not to click on unfamiliar or suspicious emails that could inadvertently open the gate for a hacker. 

But he also says consumers have to take some personal responsibility themselves.

"Most consumers are quite happy to have a Gmail account and let Google know absolutely everything about every aspect of their lives," he says.

"It's hard for people to complain that their personal information got stolen when they're quite happy to give it up freely to just about anybody any time."

Skillicorn points to the Get Cyber Safe website set up by the federal government as one way for consumers to make sure they are as protected as possible.

Long passwords are another key, he suggests.

"The longer you make them the more resistant they are to attack. Adding the funny symbols and so on doesn't help much, but having a password that's 15 characters long will typically send most people elsewhere rather than trying to break it."

While consumers can take smaller actions to protect themselves, there's no sense that anyone could ever be 100 per cent protected.