US retailers are still struggling to improve their defences against data breaches, with almost two thirds experiencing declining security performance using a methodology based on looking for traces of malware and compromise, security benchmarking vendor BitSight has reported.

In the year to November 2014, the firm found that 58 percent of the 300 retailers looked at had seen an average performance decline of 90 points on a scale that runs from 250 to a maximum (and ideal) score of 900.


Another 34 percent saw their scores increase by around 70 points, with only eight percent stuck on the same score as a year ago. BitSight also looked at 20 large retailers that had suffered public  data breaches, finding that three quarters had improved by an average of 50 points.

So most retailers appear to be getting better, especially those that have experienced break-ins, more or less what one would expect of a sector that has come under unprecedented attack in the last three years.

According to BitSight, a third of retail breaches originated with a compromise at a third-party vendor, a comment on the complexity of the modern retail supply chain. If that statistic accurately reflects the scale of the problem at partners, retailers have a massive problem on their hands trying to stem the number of future security breaches.

The voume of malware detected by BitSight (which forms the foundation of its methodology) isn't encouraging. Malware ‘servers’ were up 200 percent, botnets by 29 percent, and potentially exploited hosts by 78 percent. Only spam was down, by 21 percent.

Incident response times declined from 1.26 days a year ago to 1.33 days now.

“While it’s encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management,” said BitSight co-founder and CTRO, Stephen Boyer.

“We are seeing retail take steps in the right direction, with the formation of the Retail Information Sharing and Analysis Center to increase intelligence sharing among retailers in the U.S., but more improvements are needed.”

BitSight’s methodology is very much of its own design and whether one can infer a rise or decline in retail sector security performance using it is contentious. In truth nobody really knows with any certainty what is going on inside the sector after a summer that saw numerous compromises. The assumption is that security is improving but this remains speculation unless incident frequency declines.

What counts for individual vendors isn’t the sector’s performance but their own security-worthiness.

Earlier this year, BitSight carried out a similar security assessment of S&P 500 firms, spotting weaknesses in healthcare and pharmaceuticals. The firm also tracked the persistence of the infamous Mac Flashback Trojan in US universities.