The global economy is built on supply chains. But one sector more reliant than most on complex networks of interrelated businesses is retail. The average retailer may not even realize how many suppliers it has across physical and digital channels. Together, this web of relationships ensures goods get from source to customer as efficiently as possible. Increasingly today these supply chains also extend into the digital sphere, to deliver essential online capabilities to retailers and their customers.
But supply chains by their very nature also expand the average retailer’s corporate attack surface – putting customer and corporate data at risk and imperilling profits and reputation. That’s why a multi-layered cybersecurity strategy is essential, starting with data protection.
Retail in the crosshairs
Why are retailers such a popular target for threat actors? Put simply, they have a low tolerance for service disruption and store/manage large volumes of sensitive customer information, including financial data. That makes data theft and ransomware – often in the same attack – a significant threat. Unsurprisingly, 100% of retail data breaches in the past year were financially motivated, according to Verizon.
According to one recent report, 69% of global retailers suffered a ransomware breach in the past year. Exploited vulnerabilities (41%), compromised credentials (22%) and phishing emails (32%) were the most common attack vectors. But threat actors can target these vectors in suppliers too. In many cases, such suppliers are used as a stepping stone into the retailer’s network. One of the biggest retail breaches of all time – at US chain store Target – occurred after hackers compromised network credentials used by an HVAC partner.
Suppliers are particularly popular targets as threat actors can compromise a single company to gain access to data or networks from multiple downstream customers. This is especially true of digital suppliers. Consider the number of retailers, including UK high-street pharmacy giant Boots, that were caught up in the MOVEit campaign. Or the hundreds of e-commerce stores that were compromised in 2022 with digital skimming code, via a vulnerable plugin.
It’s no surprise that 71% of global retail IT and business leaders are concerned with the size of their digital attack surface. Two-fifths (40%) admit that the attack surface is “spiralling out of control.”
How security can help
To mitigate these risks, retailers need better oversight of their supply chains. That means conducting more comprehensive due diligence before deciding whether to partner. And it requires regular – or ideally continuous – data-driven monitoring/auditing to ensure the organization is held to the same high standards of cyber-risk management as the retailer.
Key best practices which retailers should follow in-house and demand of their suppliers include:
- Preventative security controls: Anti-malware at the hybrid cloud server, endpoint, email and network layer.
- Security awareness training: Ensuring staff can spot phishing attempts that make it through email filters.
- Risk-based patch management: An automated system to prioritize security updates across the environment.
- Vulnerability management program: Regular testing for vulnerabilities in key software, and a clear pathway for responsible disclosure.
Regular offline backups: To mitigate risk in the event that sensitive information is encrypted by ransomware actors.
- Threat detection and response: Tools like XDR to rapidly spot and contain threats before they have an opportunity to spread and cause damage.
- Incident management: A well-rehearsed plan and set of processes to respond and recover from a breach.
- Continuous data discovery, classification and monitoring: Organizations should understand where their most sensitive data is at all times and how it is protected.
- Strong data protection: Retailers and their suppliers should apply protection like tokenization or encryption to the most sensitive information in line with policy and risk appetite.
Starting with the data
While multi-layered security is clearly called for to mitigate risk across the retail attack surface, including suppliers, it makes most sense to start with the data. Continuous discovery, classification and protection of the most sensitive data – wherever it resides – means that even if hackers manage to circumvent the outer layers, the data itself will be useless to them. It will also help to keep GDPR and PCI DSS regulators happy, while minimizing the cost of compliance.
This is not only about mitigating cyber-risk but also providing a secure foundation for business growth—by appealing to security-conscious consumers and giving the organization the confidence to proceed with ambitious digital transformation projects. Most importantly, it will help retailers optimize their use of supply chains to deliver even more value to customers and shareholders.