As the threat of cyberattacks and data breaches continues to rise, it’s more important than ever that retailers scrutinize the security and trust of their software vendors and third-party providers.
While third parties play a crucial role in supporting digital operations, they also can represent a threat to security. From point-of-sale systems and mobile apps to back-office supply chain tracking solutions and loyalty programs, these networks can expand the attack footprint and open new doors to attack.
Security experts say the recent high-profile cyberattack against the SolarWinds supply chain is an example of why retailers should be vigilant of their networks and cloud-based solutions.
Learn more about data protection strategies here.
Targeting the technology supply chain
First discovered as a part of a breach of a major cybersecurity company in December 2020, the SolarWinds attack has been an informative case study for the cybersecurity industry. Suspected nation-state actors compromised the company’s Orion monitoring platform and used it to distribute trojan viruses to its users through a trusted update.
According to a Wall Street Journal report, as many as 30 percent of the organizations breached had no direct link to SolarWinds. Microsoft Corporate Vice President of Security Vasu Jakkal told ZDNet in January 2021 that the attack was a “moment of reckoning” in the industry.
“These attacks are going to get more sophisticated,” Jakkal said. “So we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm.”
The SolarWinds attack was especially catastrophic because it used a trusted connection between a software provider and a customer to access a network, says Jake Olcott, vice president of communications and government affairs at BitSight. The fact that hackers infiltrated the trusted supply chain enabled them to operate undetected.
“These attacks are going to get more sophisticated, so we should expect that. This is not the first and not the last. This is not an outlier. This is going to be the norm.”
Vasu Jakkal, Microsoft Corporate VP of Security
“It’s significant because of the deep level of access and trust they enjoyed across organizations in government and private sector,” Olcott says. “There are many questions about whether these malicious actors are even more deeply embedded in organizations and are just going undetected.”
The growth of third-party risk
Most retailers’ cybersecurity efforts have so far focused on threat detection, ensuring their own networks are secure, and that third-party vendors are protecting consumer information. Yet retailers must also now consider they’re more digitally interconnected with their third-party providers, says Mike Dombrowski, managing director and national co-leader, infrastructure and cyber solutions, with BDO Digital.
“It is not so much a loss of trust but the realization that we are now digitally connected,” Dombrowski says, “and that security is more of a partnership than a handoff.”
As the pandemic has pushed many retailers further to digital channels, there’s a growing need for more advanced security, says Alla Valente, GRC analyst at Forrester, who specializes in security and third-party risk.
In the wake of store shutdowns in March 2020, many made quick leaps to third-party providers to expand their online ordering, buy online, pick up in store, and omnichannel capabilities. While the top priority was to digitize the experience, that focus must now go back to vulnerabilities in their networks.
The SolarWinds attack was prime evidence that the traditional cybersecurity measures retailers have relied on, such as anomalous behavior and escalation of privileges, are no longer sufficient, Olcott says.
“All those things failed in the SolarWinds attack,” he says. “We’re finding out that they had access for months, and it was even fortunate they found out about it to begin with.”
That means retailers must reassess the tools on their network to detect some of the anomalous behavior. Olcott notes that organizations have spent a lot of time, money and effort protecting themselves and their security and networks, while some of the real threats are now in the supply chain. Security efforts should include more testing of software updates before they arrive and more caution about immediately installing updates that could potentially have malicious code.
Improving IT third-party risk management programs means more scrutiny across the board, Dombrowski says. The most secure companies work with a zero-trust architecture that assumes security can be flawed, and all endpoints are vulnerable, regardless of what security measures the third-party has in place. “It says ‘trust nothing,’ regardless of what tools your partner has in place,” Dombrowski says. “You have to be monitoring that all of the time, in real time.”