The retail sector has experienced transformational change with the introduction and widespread adoption of digital technology. The sector has seen an extreme level of transformation; from physical storefronts, through the early days of internet retailing, all the way up to the modern retail and eCommerce ecosystem.

This transformation has required the adoption of new technology at each stage, with APIs the current foundational building block, enabling the necessary connections between retailers, consumers and the supply chain. However, given the resulting amount of personal identifiable information (PII) on offer, retail is an extremely attractive target for cybercriminals to exploit vulnerabilities for financial gain.

With inflation high, rising redundancies, and economic uncertainty, budgets are increasingly tightening, and decision-makers in retail and eCommerce are no doubt finding it difficult to dedicate the required time and resources to ensuring resilient cyber defences, including API security. 

This was reflected in our second annual API Disconnect report, which revealed that the UK retail and eCommerce sector had the second highest rate of API-led security incidents of all the sectors surveyed, with 88% of UK respondents saying that they had experienced an attack in the last 12 months, up from 77% in 2022. 

Cybersecurity cat-and-mouse

Keeping your organisation protected is an ever-evolving battle between cybersecurity professionals and cybercriminals. When one attack vector becomes secure, bad actors will work quickly to find another exploitable angle.

This is shown in the research, with zombie and dormant APIs, which were the preferred attack vector in our 2022 report, now responsible for less than 10% of incidents. This shows that the industry is responding to the threat that unmanaged APIs can pose, however the threat now lies with web application and network firewalls, which are currently the leading attack vectors in this sector.

More testing needed, but confidence is high

Despite this, retail and eCommerce confidence in tools to test APIs for vulnerabilities has increased, with 88% stating that they had full confidence in their tools. Confidence levels have increased, year-on-year, although with API-led security incidents also increasing when compared to 2022, there is a clear disconnect between perception and reality. 

Just under a quarter of respondents in retail and eCommerce claim to test their APIs for vulnerabilities in real time, while under half said they test it once a day. 

Additionally, 76% of respondents in retail and eCommerce stated that API security was more of a priority in 2023, than it was twelve months prior. On the surface at least, this shows that senior security professionals recognise the growing threat that unsecured APIs pose, but this has not been reflected in action taken. 

Retail API visibility is high but sensitive data is at risk

Compared to other sectors, the visibility of APIs in retail and eCommerce inventories is high. 

42% of UK retail and eCommerce respondents have a full inventory of APIs, and know which return sensitive data, with just 34% having a full inventory, but do not know which return sensitive data. Over a fifth (22%) have a partial inventory of APIs, but know which return sensitive data. Simply put, if retail and eCommerce companies don't have a full inventory of APIs, or know which return sensitive data, how can they protect those APIs that hold access to PII, from attack?

In an industry where a high level of customer experience and satisfaction can make or break retailer reputations – and bottom lines – any security incidents that pose a risk to information such as bank account details and delivery addresses will severely affect customer goodwill.

This is reflected in our research, with 54% saying that incidents had resulted in a loss of customer goodwill and churned accounts. This also affected employees, with 58% of those surveyed saying that employee goodwill had taken a hit from outages caused by API breaches, as well as 42% reporting a loss of productivity. 

As with other sectors, the retail and eCommerce industry is continuously under the regulatory spotlight, with any data breaches leading to heavy fines. Over half (52%) of survey respondents say they have been handed fines by regulators following API-led security incidents, the highest of any sector surveyed.

Protect yourself and your customers

The demand for APIs in the retail and eCommerce space will only increase as the sector becomes more integrated and complex. Yes, APIs are garnering more attention, and more emphasis is being placed on their security, but there are still concerning gaps between theory and action being taken. 

As the number of APIs continue to proliferate as digital commerce becomes the dominant route to market, retail and eCommerce organisations are behind the curve in securing their increasingly complex ecosystems. With the increased online footfall during peak shopping season providing a yearly opportunity to maximise revenue, bad actors can quickly undo retailers' profits and reputation through unmanaged APIs at a time when they need it most.