It’s the holiday season, and retailers are watching their online sales climb. Business may be booming for these companies, but shoppers beware: 100% of these retailers have issues with domain security, according to SecurityScorecard’s “2016 Biggest Holiday Retailers Cybersecurity Report.”
When it comes to cybersecurity, retailers have a lot to worry about, especially since these companies handle billions of transactions each year. All of that consumer data needs to be protected, and oftentimes, according to the report, it is the largest retailers that “succumb to data breaches.”
Examples include Home Depot and Target, which suffered losses in profits and compliance fines after both of their data breaches. In February of this year, Neiman Marcus also suffered from its own data breach, when 5,200 customer accounts were accessed through automated attacks.
SecurityScorecard wanted to see if other retailers were at risk for data breaches and other security vulnerabilities, so between April 1 and Oct. 31 of this year, its security researchers looked at the 48 biggest retailers that collectively represent more than US$1 trillion in annual sales, according to the report. Some of these retailers included Amazon, Costco, Lowes, Macy’s, Sears, Staples, Target and Walmart.
(Related: What the future of software security looks like)
According to Alex Heid, chief research officer at SecurityScorecard, the “correlation between disclosed breaches, leaking credentials, and hacker chatter” were some of the interesting finds from their research.
“In the retail industry, it seems that the circulation of compromised credentials and shared fraud methodologies are more open and public as compared to the financial industry or insurance industry,” he said. “In financial and insurance, admissions of breaches are oftentimes attempted to be obfuscated or hidden in an effort to ensure longevity of the looted information.”
A big finding from SecurityScorecard’s report was that all of the 48 retailers analyzed were found to have multiple issues with domain security, which indicates that retailers’ domains aren’t configured properly to defend against hackers or impersonation attacks.
Additionally, nearly 80% of retailers may not be using intrusion detection or prevention systems to monitor their traffic within the cardholder data environment. Heid said that many attacks hit retailers in the form of web application attacks, and the use of web application firewall technologies aids in the detection and mitigation of common web application attacks, he said.
SecurityScorecard also looked at the overall performance of companies over a seven-month period. According to the report, these retailers have been struggling with maintaining a high grade in the problematic security categories, such as network security, where 69% of retailers had multiple entry points for hackers. Also, 73% of retailers had misconfigured website domains, which impact DNS health.
“With grades like these, if a hacker decides to take action while organizations scramble to keep up with an uptick in activity, they may find an easy way into the organization’s network, opening the floodgates to a potential data breach,” read the report.
Another analysis in the report examined the Payment Card Industry (PCI) Data Security Standard, which is a set of security standards for any retailer that processes, stores, or transmits credit card information. The fines for companies that do not comply with these standards could cost companies tens of thousands of dollars, said the report.
SecurityScorecard looked at how well the 48 retailers met the PCI compliance standards to get more insight on possible shortcomings, and the company found that 50% had issue types that “may be grounds for a company failing to meet the standard,” said the report.
Part of the reason why these retailers are failing to meet security standards is due to their large size, according to SecurityScorecard in the report.
“Zero-day vulnerabilities that aren’t patched, low security awareness among employees, weak network security, and improper domain and e-mail configurations are all signs of slow-moving and inflexible companies that aren’t quick to react to potential new risks,” the report read. “Given the influx of new activity that these companies need to consider with the upcoming holiday season, extra resources and attention should be levied on their security department.”
Moving forward, SecurityScorecard recommends better security awareness training for employees of these large retail companies. With adequate training, employees may be able to “fend off” phishing and other vulnerabilities that can take over. Companies also need to make sure they protect their internal and external customers, especially private and sensitive information like passwords and credit card information.
“Retailers should examine the use of next-generation firewalls, endpoint protection solutions, and web application firewall technologies in combination with a continuous information security monitoring solution that examines both the security posture of the enterprise, as well that of their related partners and vendors,” said Heid. “Many breaches originate from insecure third parties that provide a pathway to exploitation.”