Retail Industry Ranked Worst – 7/3/12

Retail Industry Ranked Worst in Website Vulnerability

It’s an honor that retail would probably just as soon be bestowed on another industry: Retail was 2011’s worst-performing industry in website security, with retail sites suffering an average of 121 serious vulnerabilities each, according to the 12th annual Website Security Statistics Report from WhiteHat Security, released last month.

Retail’s poor performance is particularly distressing given that across all industries, serious vulnerabilities dropped dramatically in 2011 – from 230 per site in 2010 to just 79 last year. WhiteHat examines over 7,000 websites across 500 organizations to identify “windows of exposure,” including serious site vulnerabilities, the length of time to fix them, and the percentage that actually get remedied.

Part of the explanation for retail’s vulnerability may be that its sites are among the most likely to be attacked by hackers or criminals in search of valuable data. The retail industry accounted for 33.7% of all data breach investigations in 2011, second only to food and beverage at 43.6%, according to the Trustwave 2012 Global Security Report. By far the most common types of data targeted, at 89%, were customer records such as cardholder data, e-mail addresses and Personally Identifiable Information (PII).

WhiteHat researchers found that although overall remediation rates continue to increase, the higher the severity of vulnerability, the most likely that vulnerability would reopen in the future. One likely explanation is a deficient “hot-fix” process, when a high-severity vulnerability is fixed quickly, live on the website, but the change is back-ported to development and a future software release overwrites the patch.

Following are the key statistics for 2011’s Top 5 industries in website vulnerability, according to WhiteHat Security:

Annual average # of serious vulnerabilities: 121
Average time-to-fix: 27 days
Average remediation rate: 66%

Annual average # of serious vulnerabilities: 92
Average time-to-fix: 40 days
Average remediation rate: 58%

Read More