The end of the year is often a time of reflection. What went wrong? What went right? If you’re a retailer that experienced a security breach in 2016, you’re likely reflecting on what went wrong and seeking to identify the gaps in your security landscape. Why? Because breaches are costly.

In fact, the Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis” revealed that financial damage to online retail is escalating. In 2015, the retail sector experienced a significant increase in the cost of stolen data, from $105 per record in 2014 to $165 in 2015. In 2016, that amount rose to $172 per record in retail, substantially higher than the cross-industry average of $158.

Security Trends in Retail

A new IBM report focusing on security trends in the retail industry highlighted the threats to retailers’ networks that drive many of the data breaches responsible for this financial damage. You may be surprised to learn that many successful attacks against retailers stem vulnerabilities characterized as low-hanging fruit.

The top two attack vectors observed across IBM Managed Security Services (MSS) networks, Shellshock and SQL injection, exploit unpatched vulnerabilities. Attackers are compromising retail networks where basic security measures — identify, protect, detect and recover — have not been performed.

Read the new X-Force Report: Security Trends in the Retail Industry

Protecting Crown Jewels While Optimizing Customer Experience

As the intersection of personalization, privacy and security grows ever more complex, the challenge for retailers to protect their consumers’ sensitive information from the standpoints of both privacy and security intensifies.

Attackers targeting the retail industry are less interested in taking down a site and more focused on obtaining valuable information such as credit card data. Even if businesses are collecting, storing and using information properly, they must monitor the types of attacks targeting their networks and seek ways to mitigate the exfiltration of their consumers’ data.

For advice on how to address these threats and more insights about online retail security drawn from the recent Black Friday and Cyber Monday weekend, download the full IBM report, “Security Trends in the Retail Industry: Attackers Are Shopping for Low-Hanging Fruit.”

More from Retail

Cost of a Data Breach: Retail Costs, Risks and Prevention Strategies

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Magecart Attacks Continue to ‘Skim’ Software Supply Chains

Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack. Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only…

Omnichannel E-commerce Growth Increases API Security Risk

Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists. Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and…