The stakes are high for retailers during the holiday shopping season and beyond: Revenue potential is massive, customer expectations are through the roof, and brand loyalty is on the line. Any mishaps—including a security breach—could spell disaster. 

Vans owner VF Corp. unfortunately met that fate when it experienced a cyberattack that hampered its ability to fulfill some its orders prior to the holidays. As a result, the company’s stock dropped by 7%. The holiday shopping season has come and gone, but that doesn’t mean retailers can breathe easy just yet (or ever, really). 

Retail companies are more vulnerable than ever to cyberattacks, and present a perfect target for hackers. They are especially prone to strained networks due to increased traffic and spikes in transactions during peak seasons or because an item got highlighted on social media, Further, with an employee turnover rate notoriously higher than other industries, there are huge opportunities for human error — depending on who you ask, anywhere from 88 to 95 percent of data breaches are caused by employee mistakes. 

Application programming interface (API) security incidents for retail and e-commerce organizations are a particular concern, and are on the rise. APIs act as both an entry point and getaway car for hackers to steal private information. Securing them is challenging since retail companies have a massive number of APIs at any given time — many of which they’re unaware of. 

They’re also indispensable. APIs play an essential role in helping retailers personalize digital experiences, streamline their operations, and provide seamless engagement for customers. Retail companies also use APIs to experiment and facilitate faster collaboration, enabling them to use data to create innovative experiences that increase customer engagement. 

Given this, fortifying API security should be a top priority. Here are some of the key trends making retail companies increasingly susceptible to API attacks, and some ideas about how to mitigate the risk. 

Social Commerce + Personalization + Pricing = APIs Galore

Social media platforms like Facebook, Instagram, and TikTok have become major e-commerce players, in part due to their seamlessly integrated shopping features that let users purchase products directly on the platform. Nearly half (47 percent) of U.S. consumers have made a purchase through social media, and a staggering 87 percent of shoppers say social media helps them make shopping decisions. 

Additionally, consumers are increasingly seeking out personalized shopping experiences, and retailers are leveraging data analytics and artificial intelligence (AI) to provide customized products and shopping experiences. Finally, e-commerce retailers are facing pricing pressures: Since customers can quickly and easily check prices online, the pressure toward commoditization is greater than ever, especially when selling on platforms like Amazon, where pricing is always in flux. 

APIs are a critical technology underpinning and powering these trends. With APIs, retailers can transform their systems and processes quickly and efficiently, benefiting both their business and customers. APIs make retailers more accessible to customers by enabling services like buy-online-pick up-in-store (BOPIS), curbside pickup, the fulfillment of orders through delivery partners, personalized online shopping recommendations, and social commerce integrations. 

This expanded ecosystem drives innovation, but it also exposes retail companies to a growing cyber threat landscape. Cybercriminals are becoming smarter and more sophisticated by the day, and the gaps in security that APIs create are a prime attack vector. 

Maintaining API Security Year-Round

To effectively address API security, retail organizations need a strategy that spans discovery, posture management, runtime protection, and API security testing. API security must be managed across each API’s entire lifecycle — not just at a single point in time (such as when a hacker is actively trying to steal a shopper’s credit card information, for example). Retail organizations can do this by embedding secure principles from the time they begin building a new application all the way through the API lifecycle. 

Retailers can’t protect what they can’t see, so this process starts with discovery. This includes determining how many APIs the company has and what types of information traverse them. From there, retailers need the ability to analyze their APIs’ behavior to detect potential threats. This is a superhuman job that is best suited for automated, AI-based solutions that can identify a broad set of API vulnerabilities, including data leakage, data tampering, misconfigurations, data policy violations, suspicious behavior, and attacks. 

Even if you have visibility and detection capabilities, API attacks still happen, so retail companies also need the ability to prevent attacks in real time, as well as to fix any misconfigurations. However, it’s easiest to prevent problems before they happen, so it’s important to actively test APIs as part of the software development lifecycle, in order to identify issues prior to production. This can save retailers a lot of pain, time and money. 

As trends like social commerce and personalization continue to proliferate, more APIs will be necessary to “wow” customers with exceptional shopping experiences. By implementing a security strategy that safeguards APIs throughout the entire lifecycle, retail companies can protect customer data, prevent harmful breaches, and create a stellar customer experience that keeps buyers coming back — during holiday shopping season and beyond. 

Karl Mattson is CISO at Noname Security.