Can Retailers Trust Their Third-Party Vendors?
For many retailers, working with third-party vendors is part and parcel of doing business, offering financial benefits and operational flexibility. However, as companies take increasing care to protect themselves against cyberattacks, their vendors often don’t face nearly as much scrutiny.
Third parties, which vary in their ability to safeguard against bad actors, may simply not be equipped to prevent sensitive company information from being stolen or compromised. Cyberattacks aren’t limited to specific stores or even regions. Global networks are now regularly subject to cyber threats, and cyberattacks are also not singular to online retailers.
Brick-and-mortar stores are susceptible to physical threats like card skimmers and social engineering scams while connected devices are vulnerable to malware and hacking, potentially leaving company and customer payment information in the hands of cybercriminals.
In recent years, multiple high-profile retail data breaches have involved third-party vendors. Past cyberattacks targeted retailers’ third-party operator of its chat services, accessing customers’ names, addresses, credit card numbers, security codes and expiration dates.
There are a number of steps a company can take to mitigate damage and reduce risk of being impacted by a cyberattack on a third-party vendor. Some of these solutions include:
- Implement multi-factor authentication (MFA): A multi-factor authentication (MFA) for nonconsole connections adds an extra layer of security, which greatly reduces the risk of attackers entering the system remotely.
- Assess third party’s Payment Card Industry Data Security Standard (PCI DSS) compliance status risk. Reviewing the third party’s security controls from a PCI DSS perspective could reveal basic lapses in general cybersecurity.
- Establish system security baselines. Routine vulnerability assessments and annual penetration exercises will help you identify weak points of system security.
While the steps outlined above won't eliminate cybersecurity threats, they will at the very least help the company identify the sources of the attack and disrupt any ongoing leak of compromised information.
Detection and Response
Though immediate responses to a cyberattack are necessary, learning to prepare for and properly detect cybersecurity attacks is equally important in preventing damage. Proactive efforts in anticipating cyberattacks are a helpful means towards detecting real cyber threats.
The following steps can help companies become more prepared for cyberattacks:
- Create incidence response protocol. Creating and distributing an incident response plan can educate responders on the importance of quick and succinct action when faced with a potential cyberattack.
- Test cyber threat simulations. Simulated threat-hunting exercises for employees will train them to respond efficiently when a real threat arises.
- Review network logs. Reviewing logs related to compromised systems can help the company identify potentially affected assets.
An increased reliance on third-party vendors in the retail industry coincides with the growth of cyberattacks. While companies are aware of such risks, their third-party affiliates are often unprepared for and overwhelmed by advanced hacking and malware tactics developed by bad actors.
Retailers must take initiative to verify that their third-party vendors adhere to their company’s broader security standards, while also engaging in proactive counter efforts to detect and prevent attacks, as well as to mitigate damage should attacks occur. The outlined suggestions above are a great starting point for companies that want to implement the right measures to protect their own data and that of their customers in an increasingly digital age.
Michele Dupré is group vice president at Verizon Enterprise Solutions.