5 tips for cybersecurity resiliency from CISA’s Nitin Natarajan

NRF PROTECT: Best practices for ‘target-rich, resource-poor’ retail organizations
Sheryll Poe
NRF Contributor

Protecting physical infrastructure and reducing risk across cybersecurity networks is not just a security issue. It’s a corporate issue, according to Nitin Natarajan, deputy director at the U.S. Cybersecurity and Infrastructure Security Agency.

“At the end of the day, whether we’re talking about loss prevention and theft and the economic impact of that on an organization, or we’re talking about brand recognition and public image … these are issues that are corporate issues, regardless of the vector of that attack,” Natarajan told attendees at the NRF PROTECT conference and expo in Grapevine, Texas.

While cybercriminals used to target large businesses and municipalities, the victim landscape has changed. “What we’re seeing across the nation is attacks against businesses large and small, against public and the private sector, against large cities and small rural America,” Natarajan said. “Nobody is immune from these actors.”

NRF PROTECT

Check out the recap and learn more about NRF PROTECT 2023, covering insights and strategies on loss prevention, asset protection, digital fraud and cybersecurity.

With more than 600 employees spread across the country, CISA — an agency under the Department of Homeland Security — provides regional cyber and physical services to support security and resilience for organizations and retailers of all sizes.

“We have a huge focus where we’re looking at organizations that we call ‘target-rich and resource-poor,’” he said, “organizations that don’t have the resources to invest in cybersecurity.”

During his one-on-one conversation with NRF’s Vice President of Retail Technology and Cybersecurity Christian Beckner, Natarajan had a few suggestions for cybersecurity teams working with small and medium-sized retailers.

  1. Focus on the basics: Make sure software and networks have multi-factor authentication, encourage proper password handling and update or patch software when needed.
  1. Tap into free or low-cost resources: CISA provides free resources and services for businesses that don’t have the resources available. “The beauty of our organization is that we’re not the intelligence community,” Natarajan said. “We’re not law enforcement. We’re literally this federal agency that wants to help, because the more we’re able to increase that resilience, the more we’re able to prevent these types of attacks from having an impact here on the homeland.”
  1. Understand the products and systems you have: Fully vet and research the physical and cybersecurity products you have or are buying, including their origin and potential vulnerabilities. Taking that time to make an investment is critical, Natarajan said — “especially when you are making procurement decisions that may not always be the cheapest, but may be more secure.” 
  1. Lean into partnerships: For retailers that already have partnerships with other branches of the federal government such as the FBI, Secret Service or Department of Defense, CISA works closely with all those departments as well. “If you are reaching them, they can reach us,” he said. “If you’re able to build upon the relationship with your local FBI points of contact, they’re able to reach back to us. And similarly, if you reach out to us, we can connect you back with our other federal colleagues in the region. A call to one of us is a call to all of us.”
  1. Accept that some risk is inevitable: While no endeavor can ever be entirely without risk, Natarajan noted that it’s something the retail industry has accepted and worked with. “We forget we’re accepting risk on a regular basis,” he said.

Related content

EEOC General Counsel says personal experience led her to career fighting discrimination
 
A shopping cart and gavel symbolizing retail law.
Karla Gilbride joined legal experts at NRF Retail Law Summit to discuss the unique legal challenges for retailers.
Read more
Addressing the elephant in the room on organized retail crime
 
A retail security alarm system.
Quantifying the scope of ORC is a known challenge, as ORC is not a single event or act.
Read more
NRF testifies to ORC’s insidious nature and negative impact
 
U.S. court room
A congressional hearing on ORC showed a need for better tools and cooperation between law enforcement.
Read more