Cyberthreats evolve constantly, but one rule endures: hackers will never break down your front door if they can get in through an open window. Most retailers are keenly aware that the credit card and customer data on their networks is a prime target for hackers, and so they barricade access points to their websites and ecommerce systems to ward off intrusion. But their cybersecurity teams pay much less attention to the sprawling network of vendors in the supply chain. For hackers this is a window of opportunity.
Supply chains for large retailers can involve tens of thousands of manufacturers, haulage firms, technology vendors and other suppliers spread throughout the world. At the best of times, this presents a vast attack surface for criminals. But with retailers being forced into a make-or-break pivot to digital and cramming four or five years’ of ecommerce growth into a few months, supply chains have been reorganized in haste and stretched to their limit. Ensuring their supply chains are secure should be a priority for retailers’ cybersecurity teams. Here are four steps to take to protect them.
1. Conduct a cybersecurity audit
With thousands of different companies involved, supply chains are protected by a patchwork of cybersecurity policies and practices. Critical vulnerabilities can be found in unexpected places. Before the NotPetya attack rampaged through Europe in 2017, affecting companies including FedEx and shipping giant Maersk, few people would have thought a vulnerability in a piece of accounting software could create such devastation.
Conducting a cybersecurity audit of all suppliers is an essential first step to controlling risks. This is no small undertaking. Properly assessing risk requires a host of information on suppliers’ software and hardware, their policies for patching and updating software, as well as how they control access to their networks and to their physical spaces. Remote working increases the risk of cyberattacks, so carefully scrutinize how suppliers protect their networks with their staff working from home.
Once vulnerabilities have been identified, work with the highest-risk suppliers first to patch their systems or update their procedures. A cybersecurity audit should be built into the onboarding process for each new supplier to ensure uniform minimum standards across the entire supply chain.
2. Adopt a zero trust approach
Suppliers and other vendors are often granted some access to a retailer’s own systems in order to facilitate functions like stock tracking and managing payments. “Zero Trust” is an emerging approach to cybersecurity that assumes any of these users — in fact, anyone at all on the network — is an intruder. This is a markedly different approach from traditional cybersecurity, which focused on guarding the perimeter while assuming that users already inside were legitimate.
Zero Trust ups the security game by dividing a network into segments and granting users the minimum level of access they need. Users have to be authenticated again if they attempt to access data in a different segment, and sophisticated monitoring software is deployed that can see the hardware and software attributes of each device being used and monitor traffic moving between segments to look for anything suspicious.
By taking a Zero Trust approach, retailers can make it harder for malware to spread from their supply chain partners to their own networks and reduce the damage from a successful attack. Even if hackers get into the network, instead of being given the keys to the city, they will find themselves locked in a room.
3. Defend against phishing attacks
Fake emails are still among the most potent weapons in a hacker’s arsenal. They are particularly dangerous for supply chain teams, which receive countless messages from suppliers with invoices, shipping documents or product details as attachments. Spotting malicious ones is not always easy, especially as attackers’ tactics evolve.
According to Accenture, at least one hacking group has targeted retailers using a two-step approach that probes for weaknesses by sending users a phishing email that is harmless, but signals to the attackers when it is opened. Users that fell for the first message are then targeted with a second email, this time containing malware. While increasingly sophisticated AI-powered email scanning software can mitigate the risk, regular training of staff on the latest threats and embedding a culture of skepticism of incoming emails is essential.
4. Create a response team
One of the reasons cybersecurity can fall down the list of priorities is that everyone thinks it’s somebody else’s responsibility. This is especially true when it comes to supply chain security, as few companies have a person charged with overseeing that. Creating a cross-company response team that’s charged with developing cybersecurity policies and coordinating the reaction when attacks happen can help embed a culture of cybersecurity awareness throughout an organization.
The team should draw in senior leaders from all parts of the business, including IT, operations, human resources and communications, with clear responsibilities and accountabilities. Such a team could, for instance, help coordinate follow-up to a cybersecurity audit of the supply chain to fix vulnerabilities.
One of the sad truths of the past year was that hackers saw the chaos and confusion as an opportunity and deliberately targeted stressed industries. Ransomware attacks increased 40% in the third quarter of 2020, and the average ransom paid by victims was more than $233,000, up almost one-third from the previous quarter. Those trends are set to continue in 2021. While retailers have many pressing concerns to deal with, they overlook cybersecurity at their peril.
Ara Aslanian is co-founder and CEO of Inverselogic, an IT services provider, and reevert, a hybrid data backup and storage solution. He is a member of the advisory board at LA Cyber Lab and on the leadership council of Secure the Village, both of which monitor emerging online threats and provide education on countering them.