The retail sector has experienced transformational change with the introduction and widespread adoption of digital technology. The sector has seen an extreme level of transformation, from physical storefronts through the early days of internet retailing all the way up to the modern retail and eCommerce ecosystem.
This transformation has required the adoption of new technology at each stage. APIs are the current foundational building block, enabling the necessary connections between retailers, consumers and the supply chain. However, given the resulting amount of personal identifiable information (PII) on offer, retail is an extremely attractive target for cybercriminals to exploit vulnerabilities for financial gain.
With inflation high, rising redundancies, and economic uncertainty, budgets are increasingly tightening. As a result, decision-makers in retail and eCommerce are no doubt finding it difficult to dedicate the required time and resources to ensuring resilient cyber defences, including API security.
This was reflected in our second annual API Disconnect report, which revealed that the UK retail and eCommerce sector had the second highest rate of API-led security incidents of all the sectors surveyed. 88% of UK respondents saying that they had experienced an attack in the last 12 months, up from 77% in 2022.
Cybersecurity cat-and-mouse
Keeping your organisation protected is an ever-evolving battle between cybersecurity professionals and cybercriminals. When one attack vector becomes secure, bad actors will work quickly to find another exploitable angle.
Zombie and dormant APIs, which were the preferred attack vectors in our 2022 report, are now responsible for less than 10% of incidents. The industry is, therefore, responding to the threat that unmanaged APIs can pose. However, the threat now lies with web applications and network firewalls, which are currently the leading attack vectors in this sector.
Confidence is high in testing tools, but is it misplaced?
Despite this, retail and eCommerce confidence in tools to test APIs for vulnerabilities has increased, with 88% stating that they had full confidence in their tools. Confidence levels have increased year-on-year, although with API-led security incidents also increasing when compared to 2022, there is a clear disconnect between perception and reality.
Just under a quarter of respondents in retail and eCommerce claim to test their APIs for vulnerabilities in real-time, while under half said they test it once a day.
Additionally, 76% of respondents in retail and eCommerce stated that API security was more of a priority in 2023 than it was twelve months prior. On the surface, at least, this shows that senior security professionals recognise the growing threat that unsecured APIs pose, but this has not been reflected in action taken.
Retail API visibility is high, and sensitive data is at risk
Compared to other sectors, the visibility of APIs in retail and eCommerce inventories is high.
42% of UK retail and eCommerce respondents have a full inventory of APIs and know which return sensitive data, which is the ideal scenario and standard that all organisations should strive for. Only 34% have a full inventory, but do not know which return sensitive data.
Over a fifth (22%) have a partial inventory of APIs but know which return sensitive data. The remaining 2% have only a partial inventory of their APIs, and no knowledge of which handled PII. Simply put, if retail and eCommerce companies don’t have a full inventory of APIs or know which return sensitive data, how can they protect those APIs that hold access to PII from attack?
Retail is an industry where a high level of customer experience and satisfaction can make or break reputations – and bottom lines. Any security incidents that pose a risk to information such as bank account details and delivery addresses will severely affect customer goodwill.
Our research reflects this, with 54% saying that incidents had resulted in a loss of customer goodwill and churned accounts. This also affected employees, with 58% of those surveyed saying that employee goodwill had taken a hit from outages caused by API breaches, as well as 42% reporting a loss of productivity.
As with other sectors, the retail and eCommerce industry is continuously under the regulatory spotlight, with any data breaches leading to heavy fines. Over half (52%) of survey respondents say regulators have handed them fines following API-led security incidents, the highest of any sector surveyed.
Protect yourself and your customers
The demand for APIs in the retail and eCommerce space will only increase as the sector becomes more integrated and complex. Yes, APIs are garnering more attention, and more emphasis is being placed on their security, but there are still concerning gaps between theory and action being taken.
APIs will continue to proliferate, with digital commerce becoming the dominant route to market. Retail and eCommerce organisations are behind the curve in securing their increasingly complex ecosystems. With the increased online footfall during peak shopping season providing a yearly opportunity to maximise revenue, bad actors can quickly undo retailers’ profits and reputation through unmanaged APIs at a time when they need it most.
Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing. Noname Security is privately held, remote-first with headquarters in Silicon Valley and offices in Tel Aviv and Amsterdam.
