Powered by Membership Services Ltd

‘Tis the season’ for cybercriminals to infiltrate the supply chain

Cyber risk in retail is not a new concept. Retail is one of the most targeted industries when it comes to cyber attacks. In fact, over 50 per cent of global retailers were breached in the last year. Given the sensitive customer data these organisations often possess — like credit card information and personally identifiable information (PII) – it’s not surprising that attackers have been capitalising on the industry for decades.

The holiday shopping season can increase retailers’ cyber risk, with bad actors looking to take advantage of the massive surge of in-store and online shoppers that comes with it. What is important for retailers to keep in mind is that it’s not only their own network they have to worry about when it comes to mitigating cyber risk, but their entire supply chain ecosystem – from shipping distributors and production partners to point-of-sale technologies and beyond.

Take for example the infamous 2017 NotPetya attack that targeted large electric utilities, but actually ended up stalling operations for many retailers as a result. This nation-state attack had a snowball effect, wreaking havoc on shipping companies like FedEx and Maersk who are responsible for delivering many retail orders. FedEx operations were reduced to manual processes for pick-up, sort and delivery, and Maersk saw infections in part of its corporate network that paralysed some systems in its container business and prevented retail customers from booking ships and receiving quotes.

For retailers, a cyber disruption in the supply chain can fundamentally disrupt operations, causing catastrophic harm to brand reputation, financial performance and regulatory repercussions – and the stakes are even higher during the make-or-break holiday sales period. Here are some important steps they can take now to mitigate supply chain cyber risk this holiday season and beyond.

Step 1: Inventory your supply chain.

A business today relies on an average of 89 vendors a week that have access to their network in order to perform various crucial business. As outsourcing and cloud adoption continue to rise across retail organisations, it is critical that they keep an up-to-date catalogue of every third party and service provider in the digital (or brick-and-mortar) supply chain and their network access points. These supply chain ecosystems can be massive, but previous examples have taught us that security issues impacting any individual organisation can potentially disrupt the broader system.

An inventory of vendors and the systems they have access to allows security teams to keep track of all possible paths a cybercriminal may exploit and can help them better identify vulnerabilities and improve response time in the event of an incident.

Step 2: Take control of your third-party accounts.

Once you have a firm grasp of the supply chain, a critical focus should be to identify and manage any network accounts held by these organisations. While some suppliers may need access to complete their daily tasks, this shouldn’t mean handing them a full set of keys to the kingdom on their terms.

Retailers should ensure each vendor has an email account and credentials affiliated and managed by the retailer – not by the supplier organisation and certainly not the user themselves. By taking this step, the retailer can ensure they are the first point of notification if and when an incident occurs and are in full control over the remediation process.

Step 3: Assess your suppliers’ security posture.

Retail security teams often conduct regular internal audits to evaluate their own security posture but fail to do so effectively when it comes to their supply chain relationships.

While a supplier’s security posture doesn’t necessarily indicate that their products and services contain security flaws, in the cyber world, where there’s smoke, there’s eventually fire. Poor security performance can be indicative of bad habits that could lead to increased vulnerability and risk exposure.

Having clear visibility into supplier security performance can help retailers quickly pinpoint security vulnerabilities and cyber incidents, while significantly speeding up communication and action to address the security concern at hand.

Step 4: Continuously monitor for changes.

Third-party security performance assessment should not be treated as a one-and-done item on the supply chain management checklist.

The cyber threat landscape is volatile and ever-evolving, with new vulnerabilities and attack vectors cropping up virtually every day. That means retailers need solutions and strategies in place that provide a real-time, continuous and measurable pulse check of supplier security posture to ensure they are on top of potential threats before they impact the business and its customers.

Just as retailers track billions of packages and shipments in real-time to ensure there are no mistakes or bumps in the road, their vendor risk management program should be treated with the same due care.

This holiday season and beyond, it is critical that retailers invest in supply chain security management to reduce the risk of data breaches, slowdowns, and outages – and the costs and reputational damage that come along with them. After all, retailers are only as secure as their weakest third-party.

by Jake Olcott, VP, BitSight 

To access our news archive, use the search bar on the top right of this page. To view any articles/past magazine issues, you will need to subscribe or sign in.