5 numbers to know about retail cybersecurity
Retail faces more cyberattacks than any other industry — and the costs of a data breach can be devastating.
Want to read more on cybersecurity? Check out our comprehensive guide analyzing the trends and themes impacting cybersecurity in 2017 and beyond.
Over the last few years, several high-profile data breaches have forced the retail industry to face and fight the growing threat of cyberattacks.
Home Depot is one retailer that can attest to the devastating cost of an attack: The home improvement retailer paid $19.5 million to U.S. customers affected by a 2014 data breach that compromised more than 50 million credit cards. And in the wake of Target's infamous data breach in 2013, in which over 40 million credit cards were compromised, the retailer estimated related costs totaled $150 million.
As more retailers suffer very expensive and damaging hacks, there is growing concern over who will be next. 100% of those surveyed in the 2016 BDO Retail RiskFactor Report cited privacy concerns associated with security breaches as a risk to their business, results that are up dramatically from 91% in 2014, 55% in 2011 and 26% in 2007.
"Number one is you have to recognize there is an issue," Mark Flegg, global product director of domains and security at Corporation Service Company, told Retail Dive. "There’s no point in putting your head in the sand and saying, 'It won’t happen to me,' because it probably will if you’re big enough."
Here are five numbers that expose the cybersecurity risks facing retailers today.$172
The average cost of a data breach per record — for instance, one compromised credit card — for the retail industry in 2016.
The retail industry has experienced a significant increase in the cost of data breaches over the last few years, according to IBM’s 2016 Cost of a Data Breach Study: Global Analysis conducted by Ponemon Institute LLC. In 2014, the average cost of each record was $105, and that figure rose to $165 in 2015. The cost of $172 in 2016 exceeded the mean across all industries, which stands at $158.
Costs associated with a data breach include the hiring consultants to review the attack and loss, damages paid to consumers affected by the breach, and a $50-$90 fine per cardholder data compromised from the banks.
When considering the volume of accounts compromised, it's easy to see how the costs quickly add up.19%
The percentage of shoppers who say they would stop shopping at a retailer that falls victim to cyber hackers, even if the company takes steps to fix the situation.
Customer trust is a difficult thing to gain, and cyber attacks have the power to scare shoppers into the arms of competitors. Out of 448 consumers surveyed by audit, tax and advisory firm KPMG, an additional 33% of consumers said they wouldn’t shop at a retailer within three months of an attack for fear of having their personal data stolen.15 million
The number of identity fraud victims in the U.S.
That number rose 16% in 2016, according to Javelin Strategy & Research’s 2017 Identity Fraud Study. Javelin noted a 40% rise in card-not-present fraud, finding that the increase in EMV cards and terminals drove criminals to shift to fraudulently opening new accounts. Fraud activity is quickly evolving to a point that it can work around protection schemes like EMV credit cards and terminals.5,925
The number of e-commerce websites infected with malware by the end of October 2016.
Willem de Groot, a Dutch researcher and co-founder of security at hosting and e-commerce platform provider byte, collected the data and posted it to his blog in October. On Dec. 1, he updated his post to notify readers that 2,300 stores had been fixed.
Eddie Bauer was perhaps the most high-profile retailer to fall victim to a malware attack in 2016. This summer, the retailer disclosed that malware had infiltrated its in-store point of sale systems, allowing hackers to access customer credit card information on some purchases made between Jan. 2 and July 17 last year.26%
The percentage of cyberattacks attributed to Shellshock in the retail industry in 2016.
Shellshock, a roughly 2-year-old "vulnerability in the GNU Bash shell widely used on Linux, Solaris and Mac OS systems," ranked as the number one attack vector in the retail industry, according to IBM’s 2016 Security trends in the retail industry report. The retail industry experienced nearly twice as many attacks from Shellshock in 2016 as it did in the previous year; 60% of them occurred in September, just ahead of the critical holiday period.
Following Shellshock, SQL injection made up 20% of attacks while brute force attacks made up 15%.
Follow Corinne Ruff on Twitter