New Research Shows One Third of Retail Breaches Originated from Third-Party Vulnerabilities

Bitsight Analyzes Security Performance of Nation’s 300 Largest Retailers to Find an Industry Still Under Attack.

Bitsight Technologies, the standard in Security Ratings, today released new research measuring the security performance of 300 major U.S. retailers from Nov. 1, 2013 to Nov. 1, 2014. The report reveals that retail is still under attack and consequently the security effectiveness of retail organizations as a whole has continued to decline over the past year. However, almost 75 percent of retailers that experienced a data breach in the last year have improved their security effectiveness since the point of their breach, while a third of the breached retailers link back to compromises via third-party vendors.

“While it’s encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management,” said Stephen Boyer, co-founder and CTO of Bitsight. “This trend in retail highlights the importance of proactive measures such as industry and peer benchmarking, as well as continuous monitoring of one’s supply chain. We are seeing retail take steps in the right direction, with the formation of the Retail Information Sharing and Analysis Center to increase intelligence sharing among retailers in the U.S., but more improvements are needed.”

The Bitsight platform uses publically available data to rate the security performance of an organization on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency and duration and used to generate objective Security Ratings. Bitsight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance. Bitsight uses a wide breadth of high-quality publicly available security data to calculate Security Ratings data on specific companies and industries. 

Key Findings

  • Retail still under wide scale attack - Of the 300 major U.S. retailers analyzed by Bitsight from Nov. 2013 to Nov. 2014, 58 percent experienced a decline in overall security performance with an average 90-point decrease. The 34 percent of retailers that improved saw an average 70-point increase, while eight percent of retailers saw no net change in their Security Ratings over the past year.
  • Retailers breached in the last year see improvement - Bitsight analyzed the security performance of 20 large retailers that had a high-profile breach within the last year. Of these retailers, nearly 75 percent saw an average increase of 50 points to their Security Rating score, since the point of their breach.
  • Securing the Supply Chain remains a big challenge - Bitsight observed that nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor. Retailers share sensitive data with hundreds to thousands of business partners globally; organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners can leave them exposed and vulnerable to breaches. 
  • Infection increases in almost all threat vectors – In the span of a year, the retail industry on average suffered from an increase in infections in every individual threat indicator monitored by Bitsight, with the exception of spam propagation. Malware distribution accounted for the largest increase, followed by botnet infections. Some prevalent malware strains detected across the industry include Maazben, ZeroAccess, Zeus, Viknok, Conficker and Cutwail.
    • Malware Servers: +200 percent
    • Botnet Infections: +29 percent
    • Potentially Exploited Hosts: +78 percent
    • Unsolicited Communication: +43 percent
    • Spam Propagation: -21 percent 
  • Incident response times are increasing not decreasing - Bitsight observed the average response time taken to address infections on retailers’ networks and found a five percent increase in the time it took security teams to respond to potential network security events. While this may seem minimal, the slower the response time, the more potential for damage to be done.
    • Nov. 1, 2013: 1.26 days
    • Nov. 1, 2014: 1.33 days