Executive Briefings

One Third of Retail Breaches Begin With Third-Party Vulnerabilities, Study Finds

Retail is still under attack and consequently the security effectiveness of retail organizations as a whole has continued to decline over the past year. However, almost 75 percent of retailers that experienced a data breach in the last year have improved their security effectiveness since the point of their breach, while a third of the breached retailers link back to compromises via third-party vendors.

One Third of Retail Breaches Begin With Third-Party Vulnerabilities, Study Finds

That's the finding of research released by BitSight Technologies, which
measured the security performance of 300 major U.S. retailers from Nov. 1, 2013 to Nov. 1, 2014.

"While it's encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management," said Stephen Boyer, co-founder and CTO of BitSight. "This trend in retail highlights the importance of proactive measures such as industry and peer benchmarking, as well as continuous monitoring of one's supply
chain. We are seeing retail take steps in the right direction, with the formation of the Retail Information Sharing and Analysis Center to increase intelligence sharing among retailers in the U.S., but more improvements are needed."

The BitSight platform uses publicly available data to rate the security performance of an organization on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective security ratings. BitSight security ratings range from 250 to 900, with higher ratings equating to higher security performance.

BitSight uses a wide breadth of high-quality publicly available security data to calculate security ratings data on specific companies and industries.

Other key findings include:

--  Retail still under wide scale attack - Of the 300 major U.S. retailers     analyzed by BitSight from Nov. 2013 to Nov. 2014, 58 percent experienced a decline in overall security performance with an average 90-point decrease. The 34 percent of retailers that improved saw an average 70-point increase, while eight percent of retailers saw no net change in their Security Ratings over the past year.

--  Retailers breached in the last year see improvement - BitSight analyzed the security performance of 20 large retailers that had a high-profile breach within the last year. Of these retailers, nearly 75 percent saw an average increase of 50 points to their security rating score, since the point of their breach.

--  Securing the supply chain remains a big challenge - BitSight observed     that nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor. Retailers share sensitive data with hundreds to thousands of business partners globally; organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners can leave them exposed   and vulnerable to breaches.

--  Infection increases in almost all threat vectors - In the span of a year, the retail industry on average suffered from an increase in infections in every individual threat indicator monitored by BitSight, with the exception of spam propagation. Malware distribution accounted for the largest increase, followed by botnet infections.

Source: BitSight Technologies

That's the finding of research released by BitSight Technologies, which
measured the security performance of 300 major U.S. retailers from Nov. 1, 2013 to Nov. 1, 2014.

"While it's encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management," said Stephen Boyer, co-founder and CTO of BitSight. "This trend in retail highlights the importance of proactive measures such as industry and peer benchmarking, as well as continuous monitoring of one's supply
chain. We are seeing retail take steps in the right direction, with the formation of the Retail Information Sharing and Analysis Center to increase intelligence sharing among retailers in the U.S., but more improvements are needed."

The BitSight platform uses publicly available data to rate the security performance of an organization on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective security ratings. BitSight security ratings range from 250 to 900, with higher ratings equating to higher security performance.

BitSight uses a wide breadth of high-quality publicly available security data to calculate security ratings data on specific companies and industries.

Other key findings include:

--  Retail still under wide scale attack - Of the 300 major U.S. retailers     analyzed by BitSight from Nov. 2013 to Nov. 2014, 58 percent experienced a decline in overall security performance with an average 90-point decrease. The 34 percent of retailers that improved saw an average 70-point increase, while eight percent of retailers saw no net change in their Security Ratings over the past year.

--  Retailers breached in the last year see improvement - BitSight analyzed the security performance of 20 large retailers that had a high-profile breach within the last year. Of these retailers, nearly 75 percent saw an average increase of 50 points to their security rating score, since the point of their breach.

--  Securing the supply chain remains a big challenge - BitSight observed     that nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor. Retailers share sensitive data with hundreds to thousands of business partners globally; organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners can leave them exposed   and vulnerable to breaches.

--  Infection increases in almost all threat vectors - In the span of a year, the retail industry on average suffered from an increase in infections in every individual threat indicator monitored by BitSight, with the exception of spam propagation. Malware distribution accounted for the largest increase, followed by botnet infections.

Source: BitSight Technologies

One Third of Retail Breaches Begin With Third-Party Vulnerabilities, Study Finds