Despite Target, Retailers Still Weak On Third-Party Security

A new survey from TripWire shows mixed results about retailers' security practices.

Sara Peters, Senior Editor

June 24, 2014

1 Min Read
Dark Reading logo in a gray background | Dark Reading

The big Target breach last year was actually the second stage of an attack that began by breaching the retail giant's third-party HVAC subcontractor (although the general public seems to forget that fact). This should have taught companies a lesson about the risks of letting business partners run pell-mell around one's network without paying any mind to their own security posture. However, according to new research from TripWire, at least one-quarter of retailers have not yet learned that lesson.

On one end of the spectrum, 12% of retailers who responded say they require third-party partners to pony up regular reports on vulnerability scans on their network and Web applications. On the other end of the spectrum, 26% said, "We don't evaluate the security of our business partners."

In fact only 70% of respondents said that the Target breach affected the level of attention that their businesses' executives pay to security. This number was even lower (57%) for online-only retailers.

Happily, 60% of respondents said they could identify a breach within 72 hours, 7% said they could do it in a month, and 1% within three months. However, a full 20% simply admitted that they weren't confident they could identify breaches quickly -- and that's particularly discouraging if within three months is considered "quickly."

Some 18% confessed that they were "not at all confident" that their security controls could detect rogue applications (including malware), 35% said they were very confident, and the rest said they were "somewhat" confident.

Read more about:

2014

About the Author

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights