James Fleming
Customer Account Executive

Retail Under Attack: 6 Learnings from a Retail Customer

Retail and ecommerce

For a retail organization, a security breach costs them an average of $3.48M — and traditional security measures can’t keep up with evolving threats. How are retail and e-commerce organizations staying ahead of today’s threat landscape? In our recent Retail Under Attack webinar, I spoke with Fynn Fabry, Security Operator with Swiss sportswear brand On, to learn the real-world benefits and practicalities of a human-powered security testing program for retail and e-commerce.

1. Retail and E-commerce Are Prone to Credential-based Attacks

“Credential-based attacks are evergreen.”

When asked what significant security threats are prevalent in the retail and -commerce industry, Fynn Fabry hammers home credential-based attacks. They say,

“One of the biggest threats is credential-based security issues. Of course, you can prevent some of them by rate limiting to keep your customers secure. But at the end of the day, if somebody else has a data breach and some of your customers have recycled their passwords, those passwords are out in the open. You cannot really do anything about that. If it wasn't your data breach, what are you gonna do?”

2. Utilize Security Best Practices

“Best practices are best practices for a reason.”

Fynn Fabry explains that most best practices aren’t just made up — there are tried-and-true methods for implementing proactive security measures to prevent attacks in every industry, including retail settings.

“If you want to introduce a new security measure or system, look up if there is a best practice around it. Be proactive in talking to your development team instead of weaving them in retroactively. If you’re developing something in-house, it’s much more work than asking for their consultation from the get-go.”

Fabry says a “core” best practice in protecting customer data is the Principle of Least Privilege.

“The Principle of Least Privilege should not only apply to customer data but to any system that holds data. It means that people only get privileges on the systems they actually need. Of course, you can’t assign every privilege one by one, but for most systems, you need more than just users and administrators; some roles are more granular with respect to what they need from the system.”

3. How to Measure Bug Bounty ROI

Every organization has different security needs and goals, which makes measuring the ROI or return on risk mitigation unique for every program. Fynn Fabry shares how On measures value in bug bounty:

“Every six months, I make a summary of how many of the reports we received were fixed. It’s important to recognize the reports that ruffled some feathers and made people ask how we didn’t know about that vulnerability. I take that into account when I’m trying to estimate if it’s still worth it, and so far, it always has been. If you get a significant number of reports that you remember when you look at the title, that’s a good indicator that your bug bounty program is giving you value.”

4. Rely On Your Security Vendors to Stay Ahead of Threats

“Talk to your security vendors.”

Security professionals need to stay ahead of an ever-evolving threat landscape. Fynn Fabry’s advice to other security professionals is to work with your security vendors to stay up to date. 

“Ask HackerOne or your other security vendors what they think. They have many other customers in similar situations as you. They try to be proactive and gather threat intelligence for you, so ask them questions every now and then to understand what’s going on in the threat landscape.”

Fabry also recommends keeping up with cybersecurity news to stay on top of threats. At On, they identify their best cybersecurity news outlets or pieces of cybersecurity news and add it to the company news feed in the morning. To get started, Fabry’s favorites are:

5. Engage With the Hacker Community

“Talk to hackers.”

Fabry emphasizes the value of threat intelligence gained through keeping in touch with the hacker community.

“If you’re a HackerOne customer, you’re already talking to hackers. But also try to keep someone on your security team in touch with the hacker community. There are a lot of options: conferences, conventions, etc. If someone on your team wants to attend a hacker event, enable them to do it. I know it can be expensive, but it’s absolutely worth it to engage with the hacker community.”

6. Working With Hackers Provides a Global Security Perspective  

“The biggest benefit is the vast amount of knowledge you get when you engage with such a large community.”

Fabry explained that On likes to work with different security researchers because the same professionals or vendors will often approach a test the same way every time. But different researchers might find something the first one missed simply because their perspective is different. On sees this as a key value of working with the hacking community.

“If you have a bug bounty program with people from all over the world, from every country and every culture, they go at it with different views and ideas of how the systems might work. You get far more differing views than if you only had a small community.”


To hear more retail and e-commerce insights from Fynn Fabry and On, watch the Retail Under Attack webinar on demand.

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image