‘Tis the (Holiday Retail) Season for Cybercriminals to Infiltrate the Supply Chain
Cyber risk in retail isn't a new concept. Retail is one of the most targeted industries when it comes to cyber attacks. In fact, over 50 percent of global retailers were breached in the last year. Given the sensitive customer data these organizations often possess (e.g., credit card information and personally identifiable information), it’s not surprising that attackers have been capitalizing on the industry for decades.
The holiday shopping season can increase retailers’ cyber risk, with bad actors looking to take advantage of the massive surge of in-store and online shoppers that comes with it. What's important for retailers to keep in mind is that it’s not only their own network they have to worry about when it comes to mitigating cyber risk, but their entire supply chain ecosystem — from shipping distributors and production partners to point-of-sale technologies and beyond.
Take for example the infamous 2017 NotPetya attack that targeted large electric utilities, but actually ended up stalling operations for many retailers as a result. This nation-state attack had a snowball effect, wreaking havoc on shipping companies like FedEx and Maersk, which are responsible for delivering many retail orders. FedEx's operations were reduced to manual processes for pickup, sort and delivery, and Maersk saw infections in part of its corporate network that paralyzed some systems in its container business and prevented retail customers from booking ships and receiving quotes.
For retailers, a cyber disruption in the supply chain can fundamentally disrupt operations, causing catastrophic harm to brand reputation, financial performance and regulatory repercussions — and the stakes are even higher during the make-or-break holiday sales period. Here are some important steps retailers can take now to mitigate supply chain cyber risk this holiday season and beyond.
Step 1: Inventory Your Supply Chain
A business today relies on an average of 89 vendors a week that have access to its network in order to perform various crucial business. As outsourcing and cloud adoption continue to rise across retail organizations, it's critical that they keep an up-to-date catalogue of every third party and service provider in the digital or brick-and-mortar supply chain as well as their network access points. These supply chain ecosystems can be massive, but previous examples have taught us that security issues impacting any individual organization can potentially disrupt the broader system.
An inventory of vendors and the systems they have access to allows security teams to keep track of all possible paths a cybercriminal may exploit. This information can help them better identify vulnerabilities and improve response time in the event of an incident.
Step 2: Take Control of Your Third-Party Accounts
Once you have a firm grasp of the supply chain, a critical focus should be to identify and manage any network accounts held by these organizations. While some suppliers may need access to complete their daily tasks, this shouldn’t mean handing them a full set of keys to the kingdom on their terms.
Retailers should ensure each vendor has an email account and credentials affiliated and managed by the retailer, not by the supplier organization and certainly not the user themselves. By taking this step, the retailer can ensure it's the first point of notification if and when an incident occurs, and are in full control over the remediation process.
Step 3: Assess Your Suppliers’ Security Posture
Retail security teams often conduct regular internal audits to evaluate their own security posture, but fail to do so effectively when it comes to their supply chain relationships.
While a supplier’s security posture doesn’t necessarily indicate that their products and services contain security flaws, in the cyber world, where there’s smoke, there’s eventually fire. Poor security performance can be indicative of bad habits that could lead to increased vulnerability and risk exposure.
Having clear visibility into supplier security performance can help retailers quickly pinpoint security vulnerabilities and cyber incidents, while significantly speeding up communication and action to address the security concern at hand.
Step 4: Continuously Monitor for Changes
Third-party security performance assessment shouldn't be treated as a one-and-done item on the supply chain management checklist.
The cyber threat landscape is volatile and ever-evolving, with new vulnerabilities and attack vectors cropping up virtually every day. That means retailers need solutions and strategies in place that provide a real-time, continuous and measurable pulse check of supplier security posture to ensure they're on top of potential threats before they impact the business and its customers.
Just as retailers track billions of packages and shipments in real time to ensure there are no mistakes or bumps in the road, their vendor risk management program should be treated with the same due care.
This holiday season and beyond, it's critical that retailers invest in supply chain security management to reduce the risk of data breaches, slowdowns, and outages — and the costs and reputational damage that come along with them. After all, retailers are only as secure as their weakest third party.
Jake Olcott is vice president of BitSight, a security ratings company.