5 tips for cybersecurity resiliency from CISA’s Nitin Natarajan

NRF PROTECT: Best practices for ‘target-rich, resource-poor’ retail organizations
Sheryll Poe
NRF Contributor

Protecting physical infrastructure and reducing risk across cybersecurity networks is not just a security issue. It’s a corporate issue, according to Nitin Natarajan, deputy director at the U.S. Cybersecurity and Infrastructure Security Agency.

“At the end of the day, whether we’re talking about loss prevention and theft and the economic impact of that on an organization, or we’re talking about brand recognition and public image … these are issues that are corporate issues, regardless of the vector of that attack,” Natarajan told attendees at the NRF PROTECT conference and expo in Grapevine, Texas.

While cybercriminals used to target large businesses and municipalities, the victim landscape has changed. “What we’re seeing across the nation is attacks against businesses large and small, against public and the private sector, against large cities and small rural America,” Natarajan said. “Nobody is immune from these actors.”

NRF PROTECT

Check out the recap and learn more about NRF PROTECT 2023, covering insights and strategies on loss prevention, asset protection, digital fraud and cybersecurity.

With more than 600 employees spread across the country, CISA — an agency under the Department of Homeland Security — provides regional cyber and physical services to support security and resilience for organizations and retailers of all sizes.

“We have a huge focus where we’re looking at organizations that we call ‘target-rich and resource-poor,’” he said, “organizations that don’t have the resources to invest in cybersecurity.”

During his one-on-one conversation with NRF’s Vice President of Retail Technology and Cybersecurity Christian Beckner, Natarajan had a few suggestions for cybersecurity teams working with small and medium-sized retailers.

  1. Focus on the basics: Make sure software and networks have multi-factor authentication, encourage proper password handling and update or patch software when needed.
  1. Tap into free or low-cost resources: CISA provides free resources and services for businesses that don’t have the resources available. “The beauty of our organization is that we’re not the intelligence community,” Natarajan said. “We’re not law enforcement. We’re literally this federal agency that wants to help, because the more we’re able to increase that resilience, the more we’re able to prevent these types of attacks from having an impact here on the homeland.”
  1. Understand the products and systems you have: Fully vet and research the physical and cybersecurity products you have or are buying, including their origin and potential vulnerabilities. Taking that time to make an investment is critical, Natarajan said — “especially when you are making procurement decisions that may not always be the cheapest, but may be more secure.” 
  1. Lean into partnerships: For retailers that already have partnerships with other branches of the federal government such as the FBI, Secret Service or Department of Defense, CISA works closely with all those departments as well. “If you are reaching them, they can reach us,” he said. “If you’re able to build upon the relationship with your local FBI points of contact, they’re able to reach back to us. And similarly, if you reach out to us, we can connect you back with our other federal colleagues in the region. A call to one of us is a call to all of us.”
  1. Accept that some risk is inevitable: While no endeavor can ever be entirely without risk, Natarajan noted that it’s something the retail industry has accepted and worked with. “We forget we’re accepting risk on a regular basis,” he said.

Related content

A Guide to Developing a Retail Supply Chain Cybersecurity Risk Management Plan
 
A woman working on a computer.
This guide identifies supply chain-related cybersecurity risks and offers best practices for retailers.
Read more
Cybersecurity in retail: How to bridge the trust gap
 
A photo of an individual working on the computer displaying work in security.
Data security is a key differentiator in today’s privacy-driven market.
Read more
Digitization is table stakes for retailers
 
Artificial intelligence
PwC consumer markets leaders on the impact of AI in the retail sector.
Read more