You can’t say 2020 without also saying “global pandemic,” plus maybe a few four-letter words under your breath. It’s no surprise that the retail industry was turned upside down, expediting industry trends towards an increase in online-shopping and forcing companies to get creative. This blog post dives into the state of retail cybersecurity in 2020, holiday cyber-readiness, and how shifting consumer expectations are impacting the industry. 

What to Expect this Holiday Shopping Season

Since I know my Amazon Prime delivery driver by name, I wasn’t surprised when I found out that 80% of consumers say they’re expecting to do more holiday shopping online versus last year, according to a recent survey conducted by Bugcrowd. Online shopping isn’t going away anytime soon – a global study published by Salesforce found that 58% of consumers expect to do more online shopping after the pandemic than they did before it.

This year, holiday shopping kicked off with Amazon Prime Day, a two-day event in mid-October. According to an analysis of Amazon Prime Day, sales surpassed last year’s event by 45.2%. Unfortunately, with increased shopping comes increased security concerns. 

We asked consumers to rank their top security concerns heading into the 2020 holiday shopping season. The top concern was fraudulent purchases, which aligns with the fact that almost 75% of respondents expect fraud to increase during the holiday season. Other top concerns include account takeovers and phishing attacks.

Even with these concerns, our survey found that less than half of organizations are taking new measures to protect their online customers for the 2020 holiday season.

A Changing Consumer: Digital Expectations

Shopping habits aren’t the only thing increasing, so are expectations. 68% of consumers surveyed say COVID-19 elevated their expectations of companies’ digital capabilities

A key aspect of a companies’ digital capabilities is cybersecurity. 77% of consumers cite vendor security as one of their top selection criteria for purchase. 69% of consumers are “much more concerned” about their online security than previous years, and 85% of shoppers who have had their information stolen through a security breach at a retailer tell others about their experience. The majority of those share their stories online. Even years after it happened, I still think about the Target data breach every time I swipe my credit card there.

The impact of a breach can certainly be devastating to direct victims, but the business itself often suffers through loss of consumer trust. According to a recent report

  • Just 11% of consumers are confident in their retailer’s ability to appropriately respond to new cyber attacks
  • Nearly 20% of consumers would reportedly end relations with a retailer after losing their data in a breach
  • More than 30% of consumers would halt spending for several months after losing their data in a breach. 

This impact has very real consequences for organizations who fail to do everything in their power to stay secure. 

So to summarize:

  1. More people are shopping online
  2. Security is an important factor to consumers shopping online
  3. A security breach which impacts consumer trust can have long-term consequences to a retailer’s bottom line

State of Retail: By the Numbers

The following data has been collected from retail programs running January 1, 2018 to November 1, 2020 and span Bugcrowd Vulnerability Disclosure, Bug Bounty, Attack Surface Management, and Pen Test programs. 

As you can see on the below graph, the total number of vulnerability submissions in retail has increased significantly since 2018. We tend to observe the biggest upticks in the industry between Q1 and Q2, at the end of the traditional “freeze” period.

During the holiday season, many retailers implement code freezes. 40% of total annual revenue is made in the 6-7 week holiday period for many retailers, so restricting code changes to mission critical systems helps avoid changes that could disrupt the buying process. 

Bounty payments are excellent indicators of not only the volume of submissions, but the severity of findings. Across all retail programs, the average payout in 2020 increased by 11% compared to 2019.  It’s also important to look at payments by criticality. So far in 2020, the average payout for P1 (critical) submissions in retail increased by 17% compared to 2019. 

We have continued seeing the trend of retail payouts for P1s being lower than the average across all industries. While we might be quick to infer that retail programs should increase payout schedules (this may still be true in some cases to retain top talent in a competitive market), the reality is that retailers were amongst the first to adopt bug bounty programs, and are exhibiting a normal rate of bounty growth given lower payouts at inception. Additionally, many retail targets at risk are web and mobile apps, which do carry a lower bounty reward. 

Several factors influence the market rate for vulnerabilities, including retail organizations’ ever-expanding attack surface, the increased participation of organizations in crowdsourced security programs, and in turn, the availability of security researchers with specialized skills. Fortunately, Bugcrowd continues to see explosive growth in its crowd year after year. With continued investment in CrowdMatch, we’re able to keep up with the growing number of customers and researchers, connecting the right resources to the right engagement for better results, 1.5x faster than competitors.

The criticality scale for a submission ranges from Priority 1 (P1) to Priority 5 (P5), 1 being the most critical and 5 being the least. This scale provides researchers and organizations a baseline for prioritizing a fix, as well as the suggested reward amount. In accordance with the “freeze” period trend, low-impact vulnerabilities that go unprioritized by retail organizations during Q4 often appear in extremes during Q1. 

When it comes to vulnerability submissions by priority, it’s clear that retail has a high number of P4 vulnerability submissions. Many e-commerce and retail organizations have predominantly web-based and mobile app attack surface – two targets that are objectively “easier” for novice hackers to tackle when first starting out. With a lower barrier to entry, this may be why retail carries a disproportionately high volume of submissions against these asset types versus other industries.

How Bugcrowd can Help

Bugcrowd offers the unique opportunity for retailers to demonstrate commitment to security best practices through programs that are easy for consumers to see and understand. And unlike many other security programs, pricing for Bugcrowd Bug Bounty programs is equally transparent  — based directly on value received (payments to the Crowd for valid security vulnerabilities surfaced). This mix of marketability and cost effectiveness may be why we’ve seen particularly significant growth in the retail industry’s adoption of crowdsourced security this year, as well as scope expansion amongst existing customers.

Bugcrowd’s crowdsourced security programs enable retail organizations to assess the real risk of digitization both pre- and post-production using the most organic measure of real risk possible– the hacker mindset. With a global network of always-on security professionals, expert management, intuitive security workflows, comprehensive coverage analysis and on-demand methodology-based reporting, Bugcrowd protects retail businesses, employees, and customers.