Outpost24, an innovator in identifying and managing cybersecurity exposure, stated that online sales surged by 30% globally in the wake of the pandemic, which also attracted various targeted cyberattacks. In its latest survey, “2020 Web Application Security for Retail & Ecommerce Report,” Outpost24 highlighted the web application security analysis for the top 20 retailers in the U.S. and EU. The research revealed that U.S. retailers have a larger attack surface with an average risk exposure score of 35.1 (out of 42.33) vs. an average score of 30.8 for EU retailers.
“With web applications accounting for 43% of data breaches in 2019, this research brings this to the top of the boardroom agenda in 2020 and digs deeper into the overall retail attack surface – taking a magnifying glass and critical view into the potential risks of the web applications that we all know and shop with regularly,” the report stated.
Key Findings:
- U.S. retailers run 3,357 web applications over 401 domains, with 8% of them considered as suspect and 22% of them running on old components containing known vulnerabilities
- EU retailers run 2,799 applications over 509 domains, with 4% considered as suspect and 27% of them are running on old components containing known vulnerabilities
- Security mechanisms (95); active content (93.3) and degree of distribution (81.5) are the average top three attack vectors identified across U.S. and EU retailers
- 90% of the top 10 EU retailers are running outdated jQuery vs 50% for U.S. retail
- U.S. retailers more up to date than EU retailers in the use of modern application technologies, however with new technology adoption they are twice more likely than their EU counterparts in running shadow IT which creates more potential risks for U.S. retailers
The research also found retailers using outdated servers to run their applications from Amazon S3 to older versions of the Apache Server. Outpost24 recommended retailers to ensure their servers are updated with the latest upgrade and close down servers that are no longer in use to prevent web servers from various attack vectors.