In the midst of the retail industry’s most lucrative time of the year, a new report finds the industry ranks fifth in overall cybersecurity health out of 18 major industries.

“As a trust-based industry the retail industry has a compelling reason to move up within the ranks,” says the report by cybersecurity firm SecurityScorecard. The company analyzed more than 1,900 companies in the retail industry and compared the results to 17 other major industries across a variety of cybersecurity categories.

The holiday shopping season is expected to rake in up to $682 billion, according to the National Retail Foundation. However, “for retailers who are not paying enough attention to their cybersecurity health, [the start of the holiday shopping season] could mean the start of a slippery slope from cyberattacks to reduced sales and eventually to store closures,” the report says.

Retailers make a particularly tempting target for cyber criminals, owing to all the customer data and credit card information they retain, making even small retailers potential targets. “Retailers are a goldmine of personal data but their high-profile nature and sometimes aging complex systems make them a popular target for hackers,” said Jeremy Drew, partner at UK-based law firm RPC, which recently released its own report on the cybersecurity environment for the retail industry.

The National Retail Foundation says it’s working on long-term solutions with all parties to ensure that consumer information is protected. “Cybersecurity is a perpetual game of high-stakes leapfrog where each new level of security devised by legitimate businesses is quickly overcome by criminals,” the NRF says, “so there is no single answer and no single industry that can provide it.”

Source: Security Scorecard, 2017 Retail & E-Commerce Report

Because retail is essentially a trust-based business, cybersecurity mishaps can cause customers to bolt to competitors. Nineteen percent of customers won’t shop at a store that’s been hacked recently, the report says, and 33 percent of customers stay away for at least three months.

Retailers suffered more than 4,000 security incidents over the last year, the report says. “Compounded with the fact that a cyberattack may increase a company’s churn by 2.9 percent, having poor cybersecurity health can be a real threat to the financial viability of companies in this industry.”

A particular weakness in the retail and e-commerce sector involves application security. Web applications have grown in importance and are a tempting target for hackers, but such applications haven’t kept up with increasing security demands. The retail sector ranks near the bottom in terms of cybersecurity performance, the report says, and it’s getting worse. “This year, web application exploits were one of the most common cybersecurity attacks against e-commerce retailers, accounting for 13 percent of all attacks,” the report says.

The root of the problem can be tracked to the “decentralized ownership of technology in brick-and-mortar shops,” the report says. In such instances, unqualified personnel may have been installing critical equipment, such as WiFi networks. The result: Vulnerabilities are introduced into the network that remain undetected until it’s too late.

A 2013 report found that 64 percent of retail stores took more than 90 days to detect intrusions, with the average time being 210 days.

The retail industry also finished dead last in the area of “DNS Health,” which is critical for the authenticity of emails. Inadequate protection in this area can lead to “increased potential for phishing attacks—a type of attack where a hacker tricks consumers to visit a fraudulent site and attempts to steal login credentials or credit card information,” the report says.

Weakest Sector in Retail

An analysis of the bottom 50 U.S. retailers reveals that clothing stores were among the poorest performers. “There were more poor performing clothing stores than poor performing department stores, car dealerships, food stores, grocery/pharmacy stores, wholesale retailers, office supply stores, and stores selling sports good combined,” the report says.

Source: Security Scorecard, 2017 Retail & E-Commerce Report

Top retailers scored in the mid-A range across 10 security factors, while bottom retailers received an overall grade in the mid-C range, on average, with network security and patching cadence—how often software updates are installed—receiving a grade of D.

“Ultimately, as cyberattacks continue to steal the headlines and consumers become more educated on the potential risks of poor cybersecurity performance, the retail industry, especially its bottom performers, will require significant investments in cybersecurity to keep its doors—physical or digital—open from this holiday season to the next,” the report says.