On top of a challenging economic year, retailers, e-tailers, and their customers face a growing threat this holiday season: the rise in cyber-attacks. While businesses have lived with this threat ever since the birth of online sales, this season will be different for several reasons.
Our cursory scans of the Top 30 U.S. Retailer’s online ecosystems revealed that nearly 83% have a potential ecosystem vulnerability that could lead to a cybersecurity breach. The following is what we discovered in our research about these organizations as we are in the middle of the all-important holiday shopping season.
This Holiday Season a Perfect Cybersecurity Storm has been Growing on the Horizon
Spike in online purchases
In order to limit their exposure to Covid-19, consumers have increased their e-commerce purchases. In the first half of 2020 online purchases spiked by roughly 30% (US Census Bureau). The holiday season will likely exacerbate this trend.
Improving cybersecurity is a top priority
Prior to Covid-19 the Retail industry as a whole was heavily investing in Digital Transformation initiatives to improve their customer’s experience. According to BDO’s 2020 report on Retail Digital Transformation, cybersecurity is a top priority for these initiatives.
Online Ecosystems, How Vulnerable are the Top U.S. Retailers?
In preparation for this blog post we used Cyberpion’s Ecosystem Security platform to perform a single pass, external scan of the online ecosystems of the Top 30 U.S. Retailers, including names such as Walmart, Amazon, Kroger, Costco and more. Our goal is to understand this vertical industry as a whole in order to provide insights and benchmarks that may help all Retailers when investing in cybersecurity solutions. For a more detailed explanation of what online ecosystems are, please read more here.
Online Ecosystem Stats – Top 30 Retailers
Average number of domains and sub-domains within ecosystem
Average number of connected third-party resources
Average number of total connections
Average number of cloud instances used within ecosystem
Finding the Needle in this Ecosystem Haystack
When you understand that a vulnerability could be hiding anywhere within this ecosystem of domains, resources, connections and cloud instances you can see how challenging the job of understanding your risk can be. The security team must not only be able to discover every element within the ecosystem, they must then assess the potential risk within each element. Fortunately, this is the challenge that Cyberpion answers with ease.
Online Ecosystem Vulnerabilities – Top 30 Retailers
Note: The following findings come from a one-time vulnerability assessment on the public-facing assets of these organizations. A deeper and continuous scan of these infrastructures would likely indicate MORE vulnerabilities.
Cyberpion discovered that nearly a quarter (23%) of the top 30 U.S. retailers have at least one COMPROMISED ASSET under the control of hackers, not the retailer.
Cyberpion discovered that nearly one-third (30%) of the top 30 U.S. retailers have an asset that was ABUSED or STILL UNDER ABUSE as part of a global hacking campaign.
Cyberpion discovered vulnerabilities in nearly half (43%) of the top 30 U.S. retailers have a vulnerable asset that COULD BE exploited and represents an immediate risk.
Cyberpion discovered that most (83%) of the top 30 U.S. retailers have connections to a VULNERABLE third-party asset.
What Happens Next?
While the scope of this blog post doesn’t cover the nature and potential damages that these vulnerabilities could represent for these retailers and their customers, the risks and damages are very real. Online ecosystems, the third-party assets and infrastructures that your organization connects to, represent a growing and significant attack surface for your organization.
The impact of Covid-19, the trend of Digital Transformation, and the rise in online purchase for this holiday season will only increase the likelihood that these vulnerabilities will be discovered and exploited by today’s threat actors.
While we’ve used the Top 30 U.S. Retailers for this post online ecosystems, and their inherent vulnerabilities, are not limited to U.S.-based, large, or only Retail organizations. In this era of hyper-connected online infrastructures it is likely your organization has a vulnerability hiding in its online ecosystem. If you are a cyber-security representative of your organization (of any size) we encourage you to contact us immediately to get a free single-pass scan of your online ecosystem!