What Ongoing Supply Chain Disruption Means for Retail Cybersecurity
Unlike card-not-present (CNP) and return fraud, both of which are on the rise, supply chain fraud gives attackers access to the target’s internal systems, in order to steal data and divert funds. A single successful supply chain attack, therefore, can cause damage on a much larger scale than a fraudulent transaction or return. Because of the potential for serious losses and business disruptions from this rising threat, retailers should review their overall cybersecurity posture and follow these best practices to limit their supply chain attack risk.
Revisit and strengthen your e-mail security.
Year after year, e-mail remains one of the main vectors for data breaches, because e-mail messages engage the most vulnerable element of any security program: people. By posing as a known vendor or impersonating a platform that the target is likely to use (such as Microsoft SharePoint or Zoom), attackers can trick recipients into sharing login credentials, redirecting direct deposits, and paying fraudulent invoices. This kind of attack, known as vendor e-mail compromise (VEC), is a subset of business e-mail compromise (BEC), which the FBI describes as “one of the most financially damaging online crimes.” A growing number of these attacks are sophisticated enough to avoid detection by standard e-mail security tools. As a result, many organizations are adding artificial intelligence-based e-mail screening tools that can identify and block advanced e-mail threats.
Extend your cybersecurity culture to your supply chain.
By their nature, supply chain attacks rely on the interconnectedness of targets and their vendors. That also makes it easy for criminals to attack at scale. For example, a group that gains access to a supplier’s e-mail network can then quickly target all of the supplier’s customers — perhaps hundreds or thousands — with a realistic-looking business e-mail compromise attack. Every organization in a particular supply chain therefore depends to some extent on the security of the others.
IT and security leaders can turn this potential vulnerability into an advantage by fostering the same kind of “culture of security” across the supply chain that they do within their own functions. By establishing channels for emergency communication and ongoing security conversations, retailers and their suppliers can share information about potential threats that makes every business in the chain safer and more security-aware.
By requiring new suppliers and vendors to meet certain cybersecurity thresholds, companies can raise the overall level of protection in the vendor ecosystem. Vetting can take time that retailers may feel they don’t have to spare, but the time invested in understanding suppliers’ security posture can help to avoid supplier-related incidents that can require much more time to resolve and recover from.
Internal security conversations and employee education should include supply chain security topics. For example, phishing awareness training should cover BEC and vendor impersonation, and there should be protocols in place for validating vendor requests for invoice payments or deposit-account changes, especially when those requests are unexpected or described by the sender as urgent.
Review and strengthen your endpoint security.
Work-from-anywhere policies, hub-and-spoke distribution models, internet of things devices and cloud-based operations have helped retailers to become more agile. These developments have also made endpoint security more complex, by vastly increasing the number and type of devices and virtual machines connecting to retail systems. In some cases, vendors as well as employees have access to retailers’ internal systems.
Retailers that haven’t already adopted a unified endpoint management system can take interim steps to strengthen their endpoint security. Sometimes the most challenging step is simply identifying all the endpoints in the retail environment. They include the mobile devices that employees use to log in while they’re at home or traveling, in-office computers and in-store point-of-sale terminals, as well as less-obvious devices such as cloud servers and IoT devices like sensors and cameras. Identification should include each device’s brand, operating system and software version. With a database of all endpoints and their locations, the next step is ensuring that they’re secure, with strong (not default) passwords and regular updates and patches.
It’s also wise to review your endpoint user-access policies. As a general rule, employees and managers at all levels should only have access to the systems and data they need to perform their work. The same principle applies to vendors and suppliers who may have access to retail systems. It’s also important to make sure that only current employees, managers and vendors have access to any system. Credentials should be revoked when someone leaves the organization or when a vendor relationship ends. Good access controls can reduce the opportunities for internal and external attacks to exploit user credentials across the supply chain.
Review and revise your incident response plan.
Finally, it’s a good idea to take a fresh look at how your organization plans to respond in case of a supply chain attack. A comprehensive plan will detail the steps the IT team will follow — typically, detection, containment, removal and post-incident analysis — as well as the roles that the leadership, PR, marketing and legal teams will play during and after an incident.
For example, who will oversee information sharing with supply chain partners to limit the spread of an attack? Who will ensure that the incident is reported within the timeframes required by regulations like General Data Protection and Regulation (GDPR)? And how will the company communicate about any such incident with its customers, the media and the authorities?
No one enjoys thinking about the possibility of a supply chain attack and the potential consequences. But with supply chain attacks increasing, it’s wise to strengthen your e-mail and endpoint security now, and have regular security discussions with suppliers and vendors, to make it less likely that you’ll need to enact your response plan.