Published on November 22nd, 2022 📆 | 5029 Views ⚑0
Three-quarters of retail, hospitality applications have security flaws
- As the Black Friday weekend is upon us, a report from Veracode shows almost three-quarters of retail and hospitality applications contain security flaws. Just one-quarter of those flaws are fixed.
- Almost 1 in 5 of these security flaws are considered “high severity” and could pose a serious risk to an organization if exploited.
- More than three-quarters of Americans plan to shop during the Black Friday sales and almost 3 in 5 plan to do all of their shopping online, leaving retailers very little room to afford a cyberattack or other data breach.
With supply chain bottlenecks already taking a toll on retail and e-commerce, the ability to maintain customer loyalty and trust is a major issue for retailers. The average cost of a breach in the retail sector can run up to $3.3 million, according to IBM Research and the Ponemon Institute.
Retailers and hospitality companies should be concerned about three different types of vulnerabilities: server configuration, insecure dependencies and authentication.
“The primary risk is theft of customer data, especially credit card data or credentials,” Tim Jarrett, VP of product management at Veracode, said. “Disruption of operations is a secondary scenario and probably one that’s more important now than a few years ago, given the ongoing shift to digital commerce.”
There are a few steps retailers can take to mitigate the risk of vulnerabilities, including scanning web applications for weaknesses and incorporating code scanning for first and third-party vulnerabilities into the software development lifecycle.
Veracode analyzed 20 million scans across a half-million applications, according to the report. Other sectors analyzed included manufacturing, healthcare, technology, financial services and government.
Earlier this month, Bed Bath & Beyond reported a data breach in a filing with federal regulators. The big box retailer said the breach was related to a phishing attack, however the company said it had no reason to believe sensitive data was compromised.