Security Ratings Uncover Decline in Security Posture of US Retailers

In light of the recent news of retailers being attacked late last year, we at BitSight looked into our security ratings (an external measure of a company’s security posture) to gain some insight into these attacks.

In our November 2013 BitSight Insight report that assessed performance across various sectors, we noted a decline in the retail sector’s security posture in the first quarter of 2013. The sector’s security rating failed to rebound in the second or third quarter. That analysis included Fortune 200 retailers primarily in the brick and mortar business (including Target, Walmart, CVS, Safeway, and others).

For the purpose of gaining insight into the breaches that occurred during the holiday season, we decided to look at the same set of companies, excluding supermarkets (such as Safeway). In addition, we extended the analysis through the end of 2013. The result, shown below, indicates that the security posture of the nation’s largest retailers did in fact decline in the fourth quarter. BitSight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Our security ratings are generated daily using vast amounts of data on externally observed security incidents, such as communication with a botnet and malware distribution. The highest performers fall into the 720-900 range and are generally quite effective in identifying and mitigating security risks. The worst performers, those with ratings ranging from 250 to 559, tend to have a large number of incidents relative to other organizations of similar size and long incident response times. Many ISP networks fall in this category as they have very little control on what their end users do. Intermediate performers fall into the 560 to 719 range.

Although the retailers included in this analysis started out the year performing relatively well, they quickly fell into our intermediate category. We observed more malicious activity on these networks in the second half of 2013. The majority of companies were quick to respond, but a few had botnets lingering for several days at a time.

BitSight observed increased malicious activity on Target and Neiman Marcus’ networks in November and December 2013. Since the details of these breaches have not been fully revealed, we do not know if the activity observed by BitSight was indeed the cause of the data loss. BitSight looks only at externally available data and has no access to internal network data. While we did observe increased activity during the time the breaches occurred at Target and Neiman Marcus, these companies were certainly not the worst performers in the retail sector. Security ratings for other companies in this industry are lower, leaving us wondering which retailer will be hit next. BitSight_Security Rating_Retail_Sector