Retailers at risk due to poor TLS/SSL management
Big retail businesses can have hundreds of TLS/SSL certificates identifying specific internet-connected devices, but many lack an organization-wide framework for managing them.
In the run up to the busiest shopping period of the year, new research from BitSight finds that 75 percent of the retail sector is at heightened risk of ransomware due to poor TLS/SSL configuration management.
Although poor TLS/SSL management doesn't directly result in successful ransomware attacks, BitSight has found that it’s a good indicator of overall security hygiene.
"BitSight believes that the use of deprecated, insecure TLS protocols often indicates that an organization is unable or unwilling to upgrade to newer, supported technology," says Ethan Geil, senior director, data and research at BitSight. "If they are unable to fix SSL, it is likely that they are unable to patch other, more critical vulnerabilities, as well. Continuing to support insecure protocols is a symptom of poor security hygiene in general."
BitSight looked at a number of factors to assign a grade from A to F associated with the TLS/SSL certificate and configuration management risk. Only 24 percent of retail sector organizations scored an A, making them less likely to experience a ransomware attack. 15 percent scored B, 29 percent scored C, and 33 percent were in the D or F range.
The findings also show that 60 percent of the retail sector is at heightened risk of ransomware attacks due to overall poor cybersecurity practices. One of the main contributing factors to this is slow patching. Nearly a quarter of retail businesses have a C, D, or F rating in patching cadence, equating to as much as a seven times increase in risk of a ransomware attack.
You can read more about the findings, along with tips on managing certificates effectively, on the BitSight blog.