The retail industry is one of the biggest contributors to the Gross Domestic Product (GDP) of any economy. While the pandemic had a significant negative impact, the retail industry has begun to bounce back and online retail is now in the spotlight more than ever.
But with the boom comes a special set of cybersecurity challenges as retailers, distributors, and customers utilize complex and mobile systems to connect with each other over the web. And to ensure customers have a similar experience online as they do in the store, companies utilize a plethora of third-party apps like chatbots, payment services, and web analytics to enhance website capabilities. These functionalities are necessary for an online retailer to be successful and remain competitive, but unfortunately, they also leave the retailer increasingly vulnerable to a cyber-attack.
Another phenomenon which significantly contributes to the growth of the retail industry and at the same time increases the risk of cyber-attacks is the use of third-party suppliers. As an essential business expansion plan, large retail organizations distribute their products to smaller multi-retail third parties who may not have the same level of cybersecurity sophistication as the large retailers. And given the connectivity they have at the backend for transaction reconciliation, this relationship opens a possible entry for attackers.
The retail industry has a complex third-party ecosystem, and small-to-medium-sized retail organizations could have hundreds of third parties (at least), and that number can grow into the tens of thousands for large retailers. And because these third-party services operate outside of the security team’s control (despite holding vast amounts of financial transactions and customers’ personal data), it’s no wonder that the retail sector has been a target for cyber criminals. In fact, Trustwave reports that 24 percent of cyberattacks target retailers, with 40 percent of these breaches being caused by a third party. (Trustwave Global Security Report 2020) As the retail ecosystem grows, attackers are going for the low hanging fruit by targeting either the third-party apps or exploiting the vulnerability between the distributed network of third parties and retailers.
The SolarWinds and Kaseya cybersecurity incidents taught us that one vulnerability can be used to exploit connected systems and impact multiple organizations. These attacks illustrated why it is imperative for retailers to focus on third-party cyber risk management (TPCRM). Tools or self-certification processes like ISO27001 cannot evaluate third parties based on the risk they present to the business. Retailers need a comprehensive Cyber Risk Intelligence solution such as CyberGRX which not only can scale the requirements across an entire vendor ecosystem, but is also comprehensive and provides complete visibility into the cybersecurity postures of third parties. Retailers then need to analyse the data based on their usage of each third party to take proactive actions that can prevent a cybersecurity incident.
At CyberGRX we work with multiple large retail organizations and have helped them mature their TPCRM programs. The solution not only helps them to scale, but also provides immediate support to react to the latest threats. For example, we supported all our customers in identifying which of their third parties are susceptible to the Log4J vulnerability, as well as assisting them in proactively addressing the risk and prioritizing actions against vulnerable third parties. We have a library of threat profiles that is continuously updated, in order to protect against new and emerging attacks.
Partnering with CyberGRX gives organizations the ability to defend themselves differently in the face of cyber-attacks now…and in the future.