Effectively using, managing, and protecting your own data is one of the most important strategic and essential competencies of organisations. In today’s retail landscape, where technology and data lie at the core of business operations, a cyber-attack can have devastating consequences. With one cybercrime reported every six minutes, ransomware alone causes up to $3 billion in damages in the Australian economy each year.
The secure management of all data, at all times, is central to retailers. At the same time, however, retailers also have a growing interconnected network of suppliers that use their own IT systems or work in the client’s software environment. This creates a dangerous gateway for IT attacks. Understanding the right path to take, and being able to address potential threats in advance, can be a gamechanger to implement an effective IT security strategy for retailers.
The most common type of IT attacks on the supply chain
Organisations need to be aware of several industry-defined attacks where the systems or software of trusted vendors is compromised.
Malicious code injection: This is the most common type of attack and is where hackers infiltrate the software suppliers for retailers and insert harmful code or malware into software updates. The tainted software then reaches the retailers as if it were safe, potentially disrupting organisations and compromising data.
Hidden backdoor attacks: Attackers sneak hidden access points into the software used by retailers. Once this software is deployed, these backdoors allow hackers to secretly enter and manipulate the retailer’s systems.
Dependency confusion attacks: Retail software often relies on additional code from public sources. Hackers create malicious versions of these codes with the same names, which can be accidentally included in the retailer’s software, leading to security breaches.
Stolen SSL and codesigning certificates: Hackers steal digital keys that authenticate secure connections. With these keys, they can impersonate legitimate services and intercept sensitive data from retailer systems.
CI/CD environment compromise: Attackers target the automated systems that retailers use to develop and update their software. By injecting malware here, they ensure that every update sent to the retailer – via these continuous integration and continuous delivery/deployment (CI/CD) automation environments – includes compromised code.
Social engineering attacks: Hackers trick retail employees into adding malicious code into the software by posing as trusted sources, exploiting human trust to bypass technical defences.
How to effectively protect the supply chain against cybercriminals
To protect against these common supply chain attacks, retailers must establish robust security controls and closely monitor their suppliers. This includes measures such as supplier assessment, supply chain visibility, code review, vulnerability scanning, dependency management, secure collaboration and data sharing.
Supplier assessment and visibility: Conduct a thorough review of suppliers and vendors’ cybersecurity practices, verify compliance with security standards (if you are unsure where to begin, the ‘Essential Eight’ recommended by the Australian government is a good starting point alongside the NIST Cybersecurity Framework developed by the US government), and review suppliers’ third-party penetration testing.
Conduct an annual review of third-party security practices that span their supply chain. For example, the requirement of compliance such as System and Organisations Control framework (SOC2 Type II) for security, confidentiality, processing integrity, privacy and availability of customer data or a Payment Card Industry Data Security Standard (PCI DSS) to optimise the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information – and so on.
Secure development lifecycle: Ensure only authorised personnel with minimal privileges can access code repositories to protect sensitive code source. Use automated systems to check for security issues like passwords in code or vulnerabilities before any code is built, merged or deployed.
Secure communication and collaboration: Collaborate with suppliers over a secure channel and ensure data is encrypted and transmitted securely. Ensure that only authenticated and authorised supplier staff can access your systems, ideally through secure supplier portals. Test vendor-provided patches or updates in a controlled environment before deploying them across the organisation.
Analyse dependencies and detect anomalies: Regularly review all third-party libraries and components your software relies on. Use tools to detect unauthorised or unexpected changes in dependencies and to alert you to any abnormal behaviour in applications.
Security awareness training: Educate your employees about common social engineering tactics, including phishing (where attackers deceive individuals via texts and emails into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware) and vishing (where scammers use phone calls to trick individuals into revealing sensitive information, like passwords or bank details). Social engineering attacks often exploit the human psyche. Therefore, continued education, awareness and vigilance are critical.
Think IT security holistically
The supply chain cannot be viewed as purely external but must be an important part of a company’s cybersecurity strategy. Even well-known retailers like Optus and The Iconic have fallen victim to cyberattacks over the past year, serving as a stark reminder that no retail business is immune. It must be considered together, with the retailer’s own data and systems, that businesses can be sustainably protected against cybercrime.
Garry Valenzisi is vice president & general manager of Iron Mountain APAC.