The close of summer in the United States brings with it one of the most important online selling seasons for Internet retailers: Back-to-School (BTS) shopping. This critical shopping season trails Cyber Monday closely as the most important for online generated revenue for many retailers. According to a recent study by Field Agent, a research firm specializing in retail, nearly two-thirds of U.S. consumers plan to purchase at least some of their BTS goods online. So, naturally this is a time of year that the security teams for major online retailers need to be on high alert, keeping an eye out for any attacks that can disrupt operations or breach sensitive data. It’s also a time they need to worry about malicious actors targeting customers with phishing attacks, even if there’s little they can do directly to prevent them. With average consumers in U.S. planning to spend between $500-$1,000 on BTS shopping, any impediment to consumer sentiment and quality of experience can have dramatically bad effects.
Given the timeliness of the topic, let’s explore some of what we, at Radware, are seeing as significant trends both in the threat landscape targeting online retailers, but also changes they are making in their IT and business that play into the cyber threats.
It’s new to no one that online retailers were among the first of the hyper-targeted industries for cyber-attacks. The combination of holding valuable customer data, the high profile brands and even the potential for competitive cyber-attacks has had IT and security managers in this industry among the leaders in security strategy and operation for many years. This makes their input into Radware’s annual Global Application & Network Security Report of particular interest.
What Keeps the Retail IT Guy Up at Night?
When we survey the retail space, we largely find a well-educated and cautiously-confident bunch. Across the board, they have some of the highest scores of any industry when it comes to expressing confidence that they are well protected from most threats. Of course, that doesn’t mean they don’t have hot-buttons of concern.
By far, this category sees the professional hackers, those motivated by financial gain, as their biggest threat. Over 65% put this threat group as “top 2” among motivations and hacker types. The second largest area of concern interestingly comes from the insider threat, which when you consider the rate of turnover and seasonal employees involved in retail, makes good sense. Very few express concern over threats from competition, which could be something of a false sense of security. We do regularly see various attacks, website scraping as an example, targeting retailers with what seem to be competitive motivations.
When we look into the impacts retailers feel and fear from cyber-attacks, two main ones jump out. First, over 50% of those surveyed say reputational damage is #1 or #2 on their list. In closer correlation, almost a third (32%) state customer or partner loss as the #1 most damaging potential impact from a cyber-attack.
Retail Attack Trends: A View from the Front Line
When we delve into the actual types of attacks seen by IT and security professionals in retail, we see some trends that on the surface may seem positive, but could point towards more troubling longer-term impacts. At Radware, we tend to consider attacks across three parameters: frequency, duration and complexity (generally measured by number of vectors). The retail space reports one of the lowest rates of frequency across the industries we survey. Only 17% say they see daily or weekly attacks, versus on average about 25% for other industries. Almost 40% say they only get attacked once or twice a year. These numbers could represent an over-reliance on certain attack detection technologies, or simply that many of the leaders in this space have effectively made themselves an expensive target for attackers.
Similarly, when it comes to attack duration, the online retail respondents report some of the shortest durations. Over 40% say attacks last one hour or less, and only 6% report attacks lasting over a week. Attack duration can be deceiving however. As more and more attack tools become automated, they are also adept at quickly identifying poor targets, and moving on. Chances are, one of these automated attack tools will come around utilizing a vector that the retailer cannot protect against.
While confidence is high among retailers, so too is the recognition of significant financial impact from attack. Over 10% of respondents from this industry report that an attack will, on average, cost them $1-$3 million dollars, much higher than most industries. The high cost of attack is balanced by one of the higher levels of spending on cyber-attack protection. Retail is second among the surveyed industries on spending, with 35% spending over $1 million on dedicated cyber-attack protection.
Online Retailers, not just for retailing anymore
For the biggest of online retailers, the transition towards online business can have an even more dramatic effect, that of shifting their core competencies into whole new lines of business. At the extreme example, consider Amazon, once a pioneer in selling shoes online, to a transformative technology firm largely defining the cloud computing space. EBay is not far behind, finding increasingly that their core competencies have become running online transactional platforms, enabling successful acquisitions into new areas. This transition of course introduces whole new categories of attack, and in turn whole new levels of business risk. However, the sophisticated operations in this category have also discovered new paths of ROI.
Today’s reality for the online retailer is that they face an increasingly complex set of cyber-attack threats, all of which have a good understanding of the seasonality of business. Staying diligent during and in-between these periods and having a strong view into the trends for both attacks and defenses is central to a mature online retail security strategy.