The holiday shopping season has arrived and as millions of retail customers make purchases online and in stores, cyber criminals are plotting to steal their valuable payment card information.
The approaching anniversary of the Target data breach announcement begs the question: Is the retail industry more prepared for this inevitable barrage of cyber-attacks?
The bad guys are certainly prepared. The cybercrime business is booming. Malware is more sophisticated, efficient, and easier to access. Underground cybercrime marketplaces are flourishing and attacks are not only more frequent, but more ambitious in terms of size and scope.
According to Advisen’s Loss Insight database, the number cyber cases involving wholesale and retail companies continued its steady rise in 2014.
Breach severity is a growing concern. Three of the top ten retail breaches of all time occurred within a six month period between November of 2013 and April of this year. And according to the Ponemon Institute’s 2014 Cost of Data Breach Study sponsored IBM, retail data breaches have also become more costly with the average cost per stolen record increasing to $105 from $78 a year ago.
The problem is not going away anytime soon. Cybercrime is a highly lucrative business. For example, approximately 2 million credit card numbers from the Target breach were successfully sold on the black market before the banks were able to cancel the cards, according to cybersecurity expert Brian Krebs. This generated approximately $54 million in income assuming a selling price of around $27 per card.
With these kinds of returns it is no wonder payment card information (“personal financial identity”) remained the leading type of data lost by wholesale and retail companies in 2014.
The increase in cybercrime has resulted in a boon for the cybersecurity business. Companies are increasingly willing to invest in security products and services to avoid costly fines, litigation, and perhaps most importantly, the reputational consequence of becoming the next big headline. In fact, Gartner predicts that worldwide security spending will reach $71.1 billion this year, which is an increase of nearly 8 percent over 2013.
This increased spending on security by retailers, however, may not be translating into more robust defenses. According to a study by security firm BitSight Technologies, “of the 300 major U.S. retailers analyzed from Nov. 2013 to Nov. 2014, 58 percent experienced a decline in overall security performance.”
It appears that many retailers simply do not have the infrastructure in place, from the board level down, to prevent increasingly sophisticated and motivated hackers from accessing their systems. As a result, not much has changed.
Data breaches are the most costly type of cyber event experienced by retailers, but they are not the only – or even the most common – type of event. While data breaches have held comparatively steady over time as a percent of total events, the relative number of operational events – “system/network security violation or disruption” – has grown significantly.
According to Bitsight’s research, one of the biggest cybersecurity challenges facing retailers is a secure supply chain. “Nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor.” Until retailers can effectively address the risks, server breaches will likely remain the leading source of data loss as illustrated in the chart below.
For the most part, the industry appears to be taking a reactive approach to cybersecurity. Of the 20 retailers analyzed by Bitsight who experienced a breach in the past year, nearly three quarters of them have improved their security performance.
As the bad guys gear up to hit the jackpot this holiday season, the data suggests that there will indeed be a big payday in the weeks ahead. Only time will tell.