One third of retail security breaches come from third-party vulnerabilities
The past year has seen a number of high profile security breaches involving retail businesses and there’s no sign of the trend slowing down.
Security ratings company BitSight Technologies has released some new research looking at the performance of 300 major US retailers over the past 12 months. It shows that 75 percent of retailers that suffered a data breach have improved their security effectiveness.
"While it's encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management," says Stephen Boyer, co-founder and CTO of BitSight. "This trend in retail highlights the importance of proactive measures such as industry and peer benchmarking, as well as continuous monitoring of one's supply chain. We are seeing retail take steps in the right direction, with the formation of the Retail Information Sharing and Analysis Center to increase intelligence sharing among retailers in the US, but more improvements are needed".
BitSight uses publicly available data to rate the security performance of organizations. Ratings range from 250 to 900 with higher numbers indicating better performance. Key findings include that of the 300 retailers analyzed 58 percent experienced a decline in overall security performance with an average 90-point decrease. The 34 percent of retailers that improved saw an average 70-point increase, while eight percent of retailers saw no net change in their Security Ratings over the past year.
Of the 20 large retailers that had a high-profile breach within the last year, nearly 75 percent saw an average increase of 50 points to their Security Rating score since their breach.
It's securing the supply chain that remains a challenge though. Nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor. Organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners can leave them exposed and vulnerable to breaches.
The findings also show that infections are increasing across a range of different threats with malware showing the largest increase. It finds that incident response times are up too, averaging 1.33 days in November this year compared to 1.26 in November 2013.
You can see an infographic summary of the report's findings below.