Can Retailers Trust Their Third-Party Vendors?
For many retailers, working with third-party vendors is part and parcel of doing business, offering financial benefits and operational flexibility. However, as companies take increasing care to protect themselves against cyberattacks, their vendors often don’t face nearly as much scrutiny.
Third parties, which vary in their ability to safeguard against bad actors, may simply not be equipped to prevent sensitive company information from being stolen or compromised. Cyberattacks aren’t limited to specific stores or even regions. Global networks are now regularly subject to cyber threats, and cyberattacks are also not singular to online retailers.
Brick-and-mortar stores are susceptible to physical threats like card skimmers and social engineering scams while connected devices are vulnerable to malware and hacking, potentially leaving company and customer payment information in the hands of cybercriminals.
In recent years, multiple high-profile retail data breaches have involved third-party vendors. Past cyberattacks targeted retailers’ third-party operator of its chat services, accessing customers’ names, addresses, credit card numbers, security codes and expiration dates.
There are a number of steps a company can take to mitigate damage and reduce risk of being impacted by a cyberattack on a third-party vendor. Some of these solutions include:
- Implement multi-factor authentication (MFA): A multi-factor authentication (MFA) for nonconsole connections adds an extra layer of security, which greatly reduces the risk of attackers entering the system remotely.
- Assess third party’s Payment Card Industry Data Security Standard (PCI DSS) compliance status risk. Reviewing the third party’s security controls from a PCI DSS perspective could reveal basic lapses in general cybersecurity.
- Establish system security baselines. Routine vulnerability assessments and annual penetration exercises will help you identify weak points of system security.
While the steps outlined above won't eliminate cybersecurity threats, they will at the very least help the company identify the sources of the attack and disrupt any ongoing leak of compromised information.
Detection and Response
Though immediate responses to a cyberattack are necessary, learning to prepare for and properly detect cybersecurity attacks is equally important in preventing damage. Proactive efforts in anticipating cyberattacks are a helpful means towards detecting real cyber threats.
The following steps can help companies become more prepared for cyberattacks:
- Create incidence response protocol. Creating and distributing an incident response plan can educate responders on the importance of quick and succinct action when faced with a potential cyberattack.
- Test cyber threat simulations. Simulated threat-hunting exercises for employees will train them to respond efficiently when a real threat arises.
- Review network logs. Reviewing logs related to compromised systems can help the company identify potentially affected assets.
An increased reliance on third-party vendors in the retail industry coincides with the growth of cyberattacks. While companies are aware of such risks, their third-party affiliates are often unprepared for and overwhelmed by advanced hacking and malware tactics developed by bad actors.
Retailers must take initiative to verify that their third-party vendors adhere to their company’s broader security standards, while also engaging in proactive counter efforts to detect and prevent attacks, as well as to mitigate damage should attacks occur. The outlined suggestions above are a great starting point for companies that want to implement the right measures to protect their own data and that of their customers in an increasingly digital age.
Michele Dupré is group vice president at Verizon Enterprise Solutions.
Michele Dupré is a group vice president at Verizon Enterprise Solutions and is responsible for enterprise customers in the Retail, Hospitality & Distribution Verticals as well as customers headquartered in Canada. In this capacity she is responsible for maintaining and growing a base of more than 160 vertical enterprise customers and over 1000 customers in Canada.
In her role, Michele is charged with driving sales strategy while focusing on acquiring new customers, increasing profitable revenue growth and maintaining the global customer base. Additionally, Michele leads the development and growth of her enterprise leadership and sales team.
Michele’s organization is comprised of sales, sales operations and support personnel who drive business solutions including network and managed services, security, mobility, collaboration, professional services and outsourcing.
Previously, Michele was group vice president for enterprise customers for the Central U.S. Region. With revenue responsibility in excess of $1B and over 3000 accounts she led one of the largest areas in the U.S. In her prior role she was area vice president for enterprise customers in Illinois & Wisconsin and had revenue responsibility in excess of $500M. Before that, she was a branch vice president of Sales for Premier Accounts where she led a team of sales and service professionals responsible for some of the largest global and Fortune 100 Customers’ in Chicago and Wisconsin.
Michele started her career with the legacy company, MCI, in 1988 and has over 25 years of industry experience. Based in Chicago, Michele is also a noted contributor to media publications including Women’s Wear Daily, CNBC.com, USA Today and Forbes among others.