In late 2020, numerous U.S. government agencies and private-sector companies were breached as a result of a hack of software deployed by the IT services company SolarWinds. According to U.S. government reports, hackers affiliated with Russian intelligence inserted compromised code into a software update of SolarWinds, which was pushed out unwittingly to thousands of the company’s customers. Russian hackers were then able to use their inserted code to steal sensitive information from a group of agencies and companies that were among SolarWinds’ customers.
Learn more about loss prevention in the retail industry at our annual NRF PROTECT event this summer.
The incident further focused attention on the risks of software supply chain attacks — cyberattacks that target third-party software and services used by companies, in contrast with direct attacks on companies’ internally managed IT systems.
Note that “supply chain” here has a different meaning than the commonly understood meaning in retail related to logistics and transportation. Software supply chain security is primarily about the security of software code — traced back to its original sources — used by an entity and its third-party service providers throughout the full development and deployment lifecycle.
SolarWinds is not the only recent example of a software supply chain attack. Numerous other high-profile incidents over the past year have involved IT services companies such as Accellion, Codecov and Kaseya, affecting hundreds or thousands of companies, including retailers in many countries.
Policymakers have recognized the seriousness of this growing software supply chain threat: The Biden administration’s May 2021 cybersecurity executive order included provisions focused on improving software supply chain security, including by establishing new baseline standards for software companies to follow if they want to continue to sell to the federal government.
When these software supply chain attacks have occurred, much of the public attention has focused on the software end users who were compromised, even though they were not the original source of the incident. And companies that have been affected by software supply chain attacks have faced legal and regulatory actions, as if the attack were a breach of their own internal systems.
Given these growing risks, it is critical that retail companies make software supply chain security part of their broader cybersecurity strategy, taking steps throughout the software development lifecycle to ensure they are carefully assessing and monitoring risks with respect to their third-party software vendors.
It is not an easy challenge: A medium-sized or large retailer might have hundreds — if not thousands — of third-party systems operating within its IT enterprise, many requiring privileged access to company information to operate effectively.
With these challenges in mind, how can retailers better address software supply chain security risks? In early October 2021, NRF held a member webinar featuring PwC and Microsoft to discuss these issues and highlight best practices companies can adopt to reduce software supply chain risks. Experts from the two companies highlighted several best practices, including that:
- Companies should establish clear governance processes with respect to managing software supply chain risks, defining clear responsibilities and involving leaders from numerous business functions, including information security, procurement, legal and business operations.
- Companies should implement change and configuration management processes on assets and information accessed or managed by third-party service providers.
- Companies should implement a secure development lifecycle to ensure that third parties are applying security controls and following secure coding practices
- Companies should consider adoption of a software maturity framework (like NIST’s Secure Software Development Framework) and implement key security practices, including technical testing and controls assurance, among others.
A recording of the webinar is available for NRF members on NRF On Demand here.
NRF held the webinar as part of its broader commitment to help the retail industry address cybersecurity challenges — a commitment it fulfills through the ongoing dialogue within its IT Security Council, through its cyber threat-sharing portal (the NRF Cyber Risk Exchange), cyber-related content at events like NRF PROTECT, and engagement and advocacy on cyber policy issues. If you are interested in learning more about these activities, reach out to NRF at email@example.com.