Net profit margins in the retail industries are notoriously low. Even the retailing giant, Wal-Mart, realized only a 3 percent profit margin in 2014. The average profit margins for web retailers is typically in this range, and retailer net profit margins of 5 percent are considered high.
By some estimates, an organization will incur costs of almost $4 million to remediate the damage caused by a single web application attack. When this cost is considered in light of the thin net profit margins in the retail industry, the need for robust cyber defenses in that industry is readily apparent. A 2014 Verizon report noted that SQL injections accounted for more than 80 percent of all data breaches experienced by retailers. Moreover, SQL injection attacks are easy to launch. Accordingly, retailers need to erect defenses against SQL injections in order to prevent the multi-million dollar losses that could wipe out their entire net profit.
An SQL injection data breach begins when a hacker finds an input in an organization’s web application that is included in an SQL query. The hacker then inserts his own malicious code into the query, and that code then allows the hacker to bypass authentications and impersonate users. The hacker can also insert code to force a server to alter or delete data, or to disclose all data residing on it. The end-of-year holiday season is the busiest and most profitable time for most retailers. They are especially prone to data losses and disclosures during the holidays when more user information is collected and stored in their own internal databases.
The data breach that the Target Corporation experienced in 2013 reveals how a weakness in an organization’s cyber defenses can lead to a massive data loss. The hackers who broke through Target’s defenses acquired personally identifiable information that allowed them to distinguish between specific individual Target customers. More than 70 million Target customers were affected, many of whom shopped at Target between November and December 2013. The personal information that the hackers acquired could only have come from Target’s internal databases. Target did not actively or continuously scan its internal databases for SQL injection activity, which allowed hackers to establish their own virtual servers inside of Target’s information systems. The hackers’ virtual servers were all but invisible to Target.
Target settled a class action that stemmed from this data breach for $10 million. It also agreed to enhance its cyber defense policies and procedures to include, among other things, the appointment of a new chief information security officer, the adoption of a written policy to document security risks and to create metrics to assess its security measures, and to train employees on the importance of securing the personal information of customers. Target customers whose information was compromised in the breach have an opportunity to receive a portion of the settlement proceeds.
Retailers can erect their own internal barriers to SQL injection attacks, or they can utilize one of the many web application defense products from companies like Shape Security for that purpose. Those applications erect a firewall that continuously inspects traffic into an organization’s servers for SQL injection attempts and other data breaches. They can be implemented enterprise-wide, in a SaaS configuration, and across all of an organization’s platforms and devices.
Retailing is highly competitive at all levels and is becoming more competitive as online retailers crowd out the more traditional physical retail locations. Protecting against data loss is a reality for all retailers who want to remain viable in this competitive environment.