There’s a perfect storm of cybersecurity threats swirling around the retail industry. According to my company’s research based on thousands of penetration tests across major industry sectors, retail came in last with the highest number of vulnerabilities. 

Though the industry has always been a leader in digital transformation, retailers are especially prone to cyber-attack due to their high volume of customer payment card data and point-of-sale (POS) exposure. The inherent risks of supplier system vulnerabilities, third-party system access, and widespread reliance on open-source software have plagued retail security teams. To make matters worse, more bad actors are popping up and developing new, sophisticated attack strategies such as generative AI infiltration.

Additional research findings include:

• Often the primary point of customer and employee data access, mobile app risk continues to rise, becoming a core risk factor across the attack surface. Out of the retail apps tested, 88% displayed weak cryptography issues, leaving a huge exploitable gap for millions of users.

• Patching and out-of-date software are this year’s top vulnerability categories putting the retail business in danger of continued data breaches.

• Across all the pen testing findings, social engineering is the favored adversarial technique, given its high effectiveness in gaining that first foothold into a company.

Penetration testing, also known as ethical hacking, is an authorized, simulated cyber-attack to identify weak spots in a system’s (or building’s) defenses that attackers could find and exploit. The practice has always been a standard line of defense in retail. 

Up until recently, most pen testing programs have been conducted sporadically, on a point-in-time basis, usually following compliance schedules. For instance, annual pen tests are often pegged to PCI DSS audits and reported along timelines set by C-suites, boards of directors, and regulators. The research now shows that too many companies are moving to the cloud without mastering cloud security fundamentals and the art of continuous, adversarial pen testing.

Without conducting more frequent adversary operations, detection and response capabilities are compromised due to an unclear view of an incredibly complex attack surface and against attackers playing a far more aggressive offense with new AI-driven tactics.

Compared to other sectors, retail is characterized by high-volume customer, employee, and supply chain engagement, and high exposure to ransomware and social engineering scenarios like phishing. Much of retail IT and security ops are handled out of a central headquarters, with less technically skilled staff spread across multiple locations and often thousands of digital endpoints. Many systems remain tethered to legacy systems that interface within hybrid IT environments and with workloads spinning up and down in the cloud along seasonal sales cycles.

Unfortunately, often due to high brand recognition, retail is a magnet for attackers. The industry is especially vulnerable to the rising level of adversary sophistication, and forces a new mindset to relentlessly think ahead of attackers by validating defenses against relevant, real-world scenarios. This means taking a fresh look at sales cycles, customer traffic, and supply chain fluctuations that may never have been previously prioritized in risk management programs – but the criminals themselves are taking a fresh look with the new tricks and tools at their disposal.

Retail risk management and mitigation demand continuous vigilance and oversight, viewing the threat landscape as a perpetual vulnerability lifecycle vs the point-in-time incident and audit-driven approach. To do this, retail cyber teams need to turn the tables by emulating adversarial behaviors, employing a continuous cadence of validation testing, and injecting uncertainty in the attacker’s every move. 

At a recent security roundtable featuring Shark Tank regular Robert Herjavec, cyber veteran Dave DeWalt of the venture capital firm Night Dragon, and Coalfire Systems CEO Tom McAndrew, the discussion zeroed in on new paradigms in threat levels, regulatory expansion (including the impact of the PCI 4.0 framework revision), and new digital defense strategies. Their conclusion? Rather than defending network perimeters and data centers with traditional point-in-time assessments and testing, the trend is shifting toward a continuous offensive security mentality. This strategy relies on experienced security experts prioritizing enterprise-specific risk, and then “thinking like the enemy” to simulate likely attacks.

Perhaps what stands out the most in our pen risk research this year is that human intelligence is not being replaced by automation. Every pen testing program needs to be “human-first.” There’s no substitute for experience and intuition in prioritizing risk. Direct, in-the-trenches human intelligence helps security teams anticipate an attacker’s next move. 

Despite retail falling behind, there is good news: businesses are recognizing that traditional security testing methods are no longer cutting it. It’s time for retail security to go on the offense – and the best offense is a threat-informed defense supported by human intelligence and continuous pen testing.

About the author