Posted 23 Nov 2015
NEW YORK, Nov. 23, 2015 /PRNewswire/ -- SecurityScorecard, the leading security-risk benchmarking company, announced today findings from its 2015 Retail & eCommerce Security Report which details security trends and problem areas affecting both businesses and consumers this holiday season. SecurityScorecard finds the retail industry suffers from pervasive web application weaknesses from legacy software systems which are soft targets for attackers once inside a company's network.
The report analyzed the top and bottom 10% of retailers collected from SecurityScorecard's proprietary industry data. These retailers represent roughly 200 retail companies and was collected and analyzed from July through October 2015.
There were no e-commerce retailers that were exempt from web application issues. Also, many retailers that our researchers analyzed found companies need to improve the security of servers by hardening their configurations. In the recent past, hackers have found entry points via third party vendors and partners. The target? Customer credit card and other personally identifying information (Social Security Numbers, home addresses, email addresses, phone numbers, etc.) attackers use for fraud and identity theft.
"Attackers seek to access the 'dumps' from customer credit card magstripes (underground slang for the track data stored on a card's magnetic stripe)," said Alex Heid, Chief of Research, at SecurityScorecard. "They will scan ranges of IP addresses looking for remote administration protocols and then use common or pilfered credentials for access."
"For bottom performing retailers, we noticed issues in the frequency of fixing vulnerabilities, so companies need to put robust and rapid patching policies in place in their security programs," said Dr. Aleksandr Yampolskiy, CEO and Co-founder, SecurityScorecard. "We also found too many instances of corporate login and password credentials found on the underground, so retailers need to improve security awareness training for employees. For the application issues, secure coding training for developers is a must."
Consumers lining up to shop at stores on Black Friday or purchase gifts on Cyber Monday and beyond this holiday shopping season should understand that credit cards and other personal information are always a target for hackers, so consumers should be vigilant about monitoring their statements and credit services for fraudulent activity. Holiday shopping season is widely known to see increases in attack attempts on retail and eCommerce websites.
Dr. Yampolskiy also advises that consumers do not use or visit eCommerce websites of companies they have never heard of before, and to monitor their credit card and bank accounts for suspicious charges.
Download the report here.
Companies that want to receive a free, graded security score should visit:
About SecurityScorecard's Benchmarking Service
SecurityScorecard allows organizations to benchmark the security of any partner, competitor, supplier, vendor, any third party or company— without requiring permission. Compare any company's security performance against other organizations within the same industry in real time. The platform is completely self service, making it the most business ready and technically-sound security risk benchmarking platform in existence today.
The proprietary foundation of the platform is the ThreatMarket™ data engine that collects over 30 million daily security risk signals from the entire Internet. SecurityScorecard collects and grades the security risk of companies in the following ten categories and factors: Web Application Security, Network Security, Endpoint Security, IP Reputation, Patching Cadence, Password Exposure, Hacker Chatter, Social Engineering, DNS Health, and CubitTM Score, a metric that assesses common system configurations.
SecurityScorecard was founded in 2013 by two former Chief Information Security Officers, Dr. Aleksandr Yampolskiy and Sam Kassoumeh. SecurityScorecard is made up of veteran security researchers, cryptographers, data scientists, and software engineers. The company is privately held with headquarters in New York City. Security Scorecard investors include Sequoia Capital, Evolution Equity Partners, Boldstart Ventures, and others.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.