December 15, 2015 By Michelle Alvarez 2 min read

What’s the retail industry receiving this holiday season? Most likely a new malicious link or document. A new IBM report revealed that attacks involving malware are prevalent, making up most of the threat activity observed across the IBM Managed Security Services client networks. Malware is the leading attack type in breaches, according to IBM X-Force Interactive Security Incidents data.

Think Twice Before Clicking

As in most other industries, attacks aimed at fooling victims into opening malicious documents or clicking on links to malicious sites are proving very successful in retail. The intent is almost always to have the victim download malware. These attacks accounted for nearly 18 percent of the total attacks observed targeting retail in 2015, according to the IBM data.

The Gift You Don’t Want That Keeps on Giving

Cybercriminals see no need to reinvent the wheel; proven attack vectors such as Shellshock and SQL injection continue to plague retailers. Although it’s been around since 1995, SQL injection is still one of the most common attacks on Web assets. It is also the second-most common known attack type associated with retail security breaches.

Named one of the threat game changers for 2014, the Shellshock vulnerability is now the No. 3 attack vector. It accounted for over 13 percent of the attacks in the retail industry in 2015.

Shifting Focus: Attackers Targeting Smaller Businesses

With security controls tightened in large enterprises, attackers are going after smaller businesses. The payoff per target may be lower, but the targets are easier and far more numerous. Analysts are finding it difficult to assess the true impact of this shift because many smaller retailers aren’t reporting the number of compromised records in their disclosures.

No Major Uptick in Retail Attacks Over Black Friday/Cyber Monday

IBM also assessed attack data from the Black Friday/Cyber Monday weekend. Those days might seem like a good time for increased attacks, but historically we haven’t seen a sharp uptick. This year fared no differently, with the daily average number of attacks that weekend only slightly above the daily average for the year.

The Financial Damage Is Escalating

As the 2015 Cost of Data Breach Study: Global Analysis reported, “While the cost of data breach stayed relatively constant for most industries, the retail sector experienced a significant increase, from $105 [per record] in 2014 to $165 in 2015.” Given the sheer volume of breaches — almost 236 million records are known to have been compromised since 2011 — that means losses in the billions.

With all the concerns plaguing the retail industry, organizations need to understand the trends and make the security investments that best respond to them. The IBM recommendations are meant to optimize security programs to stop advanced threats and protect the crown jewels.

Read the complete research report on security trends in the retail industry

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today