Retail security still very much under attack

There is perhaps no subject more important to retailers this season than security. Just one year after a data breach at Target (NYSE:TGT) compromised 40 million payment cards and the personal information of 70 million shoppers, the event is still fresh in shoppers'—and retailers'—minds.

According to a new report from security ratings company BitSight Technologies, retail is still very much under attack and the security effectiveness of retailers has continued to decline in the past year.

Of the 300 major U.S. retailers analyzed by BitSight from Nov. 2013 to Nov. 2014, 58 percent experienced a decline in overall security performance with an average 90-point decrease. Thirty four percent of retailers that improved saw an average 70-point increase, while 8 percent of retailers saw no net change in their security ratings over the past year.

Retailers that have been breached had better performance rankings than those that haven't and incident response times overall are increasing. Nearly 75 percent of retailers that experienced a data breach in the last year have improved their security effectiveness since the point of their breach, while a third of the breached retailers link back to compromises via third-party vendors.

"While it's encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management," said Stephen Boyer, co-founder and CTO of BitSight. "This trend in retail highlights the importance of proactive measures such as industry and peer benchmarking, as well as continuous monitoring of one's supply chain."

Securing the supply chain remains a challenge, with nearly one-third of all retail breaches traced back to a third-party vendor.

Is it too late for merchants to improve payment security this holiday season?

Absolutely not, said Joe Majka, CSO at Verifone. "If you are a merchant that has instituted P2PE and tokenization.. know that your payment data is secure. If you aren't using P2PE and tokenization, then your IT department should be put on heightened alert looking potential signs of intrusion, so that any system breach can be discovered quickly and immediate action can take place to mitigate exposure. Additionally, start planning for encryption and tokenization immediately by contacting your processor and/or gateway provider to see what options are on the table."

Malware continues to pose a threat, as well. The retail industry on average suffered from an increase in infections in every individual threat indicator monitored by BitSight, with the exception of spam propagation. Malware distribution accounted for the largest increase(up 200 percent), followed by botnet infections (up 29 percent). Some prevalent malware strains detected include Maazben, ZeroAccess, Zeus, Viknok, Conficker and Cutwail.

Unsolicited communication increased by 43 percent and potential exploited hosts were up 78 percent. The one bright spot: spam propagation dropped 21 percent.

For more:
-See this BitSight press release

Related stories:
Add another to the list: Staples investigating data breach
Supervalu becomes latest data breach victim
Home Depot breach affects 56M debit, credit cards
Home Depot and Target hacks the work of different groups
The untold story of the Target data breach