The global economy is built on supply chains. But one sector more reliant than most on complex networks of interrelated businesses is retail. The average retailer may not even realize how many suppliers it has across physical and digital channels. Together, this web of relationships ensures goods get from source to customer as efficiently as possible. Increasingly today these supply chains also extend into the digital sphere, to deliver essential online capabilities to retailers and their customers.
But supply chains by their very nature also expand the average retailer’s corporate attack surface – putting customer and corporate data at risk and imperilling profits and reputation. That’s why a multi-layered cybersecurity strategy is essential, starting with data protection.
Why are retailers such a popular target for threat actors? Put simply, they have a low tolerance for service disruption and store/manage large volumes of sensitive customer information, including financial data. That makes data theft and ransomware – often in the same attack – a significant threat. Unsurprisingly, 100% of retail data breaches in the past year were financially motivated, according to Verizon.
According to one recent report, 69% of global retailers suffered a ransomware breach in the past year. Exploited vulnerabilities (41%), compromised credentials (22%) and phishing emails (32%) were the most common attack vectors. But threat actors can target these vectors in suppliers too. In many cases, such suppliers are used as a stepping stone into the retailer’s network. One of the biggest retail breaches of all time – at US chain store Target – occurred after hackers compromised network credentials used by an HVAC partner.
Suppliers are particularly popular targets as threat actors can compromise a single company to gain access to data or networks from multiple downstream customers. This is especially true of digital suppliers. Consider the number of retailers, including UK high-street pharmacy giant Boots, that were caught up in the MOVEit campaign. Or the hundreds of e-commerce stores that were compromised in 2022 with digital skimming code, via a vulnerable plugin.
It’s no surprise that 71% of global retail IT and business leaders are concerned with the size of their digital attack surface. Two-fifths (40%) admit that the attack surface is “spiralling out of control.”
To mitigate these risks, retailers need better oversight of their supply chains. That means conducting more comprehensive due diligence before deciding whether to partner. And it requires regular – or ideally continuous – data-driven monitoring/auditing to ensure the organization is held to the same high standards of cyber-risk management as the retailer.
Key best practices which retailers should follow in-house and demand of their suppliers include:
While multi-layered security is clearly called for to mitigate risk across the retail attack surface, including suppliers, it makes most sense to start with the data. Continuous discovery, classification and protection of the most sensitive data – wherever it resides – means that even if hackers manage to circumvent the outer layers, the data itself will be useless to them. It will also help to keep GDPR and PCI DSS regulators happy, while minimizing the cost of compliance.
This is not only about mitigating cyber-risk but also providing a secure foundation for business growth—by appealing to security-conscious consumers and giving the organization the confidence to proceed with ambitious digital transformation projects. Most importantly, it will help retailers optimize their use of supply chains to deliver even more value to customers and shareholders.