In a rapidly evolving retail landscape with projected holiday sales soaring thanks to online transactions, the security of software supply chains remains a paramount concern. Retailers grapple with the challenge of safeguarding critical software systems, often under pressure to meet tight deadlines and prioritize speed over security. We sat down with Javed Hasan, CEO and Co-founder, Lineaje, to discuss how retailers can protect themselves and their customers from cyber threats.
Given the projected rise in holiday retail sales and the attractiveness of the retail sector to cyber adversaries, what specific challenges do retailers face in safeguarding their software supply chains?
Retail experts expect the 2023 holiday shopping season to bring more than $1.2 trillion in online sales — adding immense pressure to retailers and the software that enables transactions. From the carefully curated ad campaigns emailed to consumers to online payment systems, software is the pulse of retail organizations.
To deliver the latest software in time for the holiday season, retail organizations typically have to meet strict deadlines. Developers will often pull from existing open-source software components or take shortcuts to complete a software project on time – focusing more on speed than safety and security. In the chaos, inspecting the open-source or newly-built components for vulnerabilities is typically an afterthought – or not a thought at all. As a result, a faulty, potentially exploitable piece of software waiting to be discovered. With the significant increase in demand and strain on resources that the holiday season brings, combined with the diverse digital touchpoints a retailer has, it’s very likely that a threat actor could use the damaged software to penetrate a retailer’s network without being noticed by the security team. We’ve seen this play out in real life with brands like Target and Forever21, which suffered significant software supply chain attacks over the past holiday seasons.
The key to avoiding the increase in attacks during the festive shopping spike is to keep software well maintained and secure year round.
How can security departments within retail organizations effectively defend against software supply chain attacks, especially during the busy holiday season when they face increased cyber threats?
During the holiday season, retailers must set aside time to do the following:
Prioritize Software Maintenance - Retailers should prioritize regular software updates and patches to address known vulnerabilities. This will ensure that all software used has incorporated bug fixes and has installed the latest security patches.
Analyze Third-Party Software - Retailers should conduct assessments of third-party software providers, especially since 80-90% of software originates from open-source components. According to a recent report, 82% of open-source software is considered “inherently risky,” so retailers must stay vigilant in assessing and mitigating any third-party software to understand its lineage.
Assess New Software Integrations - Retailers must conduct a thorough evaluation of risk and vulnerabilities when integrating new software into existing systems. It is imperative to maintain a Software Bill of Materials (SBOM) to validate the security and compliance of both older and new software against any applicable legislation.
Software supply chain attacks are expected to cost businesses a substantial amount by 2025. Could you provide insights into the proactive steps that organizations, especially retailers, can take to mitigate these risks? With the changing work landscape, including remote work, how can companies adapt their cybersecurity strategies to address the evolving threat landscape, particularly in the context of software supply chain security?
Here are three best practices for retailers to address the evolving threat landscape, especially when it comes to software supply chain security.
1) Develop an Incident Response Plan - One of the best ways for retailers to be proactive against cyberattacks is to have an incident response plan in place. The plan should detail the steps relevant departments within the retail organization should take in the event of a security incident. The plan should identify the crucial components of the business that need to be up and running to continue to operate both online and brick-and-mortar storefronts – and instructions on how to restore them quickly. In addition, retailers should also include a communication strategy to inform consumers about the incident — especially if personally identifiable information (PII) or payment information was compromised.
2) Align Different Departments - Comprehensive cybersecurity incident response requires alignment from multiple departments across the retailers’ corporate headquarters. Representatives from legal, HR, communications, marketing, development, IT and more should be involved in curating the incident response plan, regularly reviewing and practicing it, and disseminating relevant information about the plan to different franchise locations.
3) Pay Attention To Third-party Vendors - Retailers regularly work with multiple software-as-a-service (SaaS) providers, consultants, marketing and advertising firms, and more while doing day-to-day business. Unfortunately, if one of these third-party vendors is breached, it’s possible that your organization could be compromised too through the supply chain. I would urge retailers to exercise caution if their company collaborates with an external vendor that accesses network infrastructure. Retailers should conduct a monthly assessment of their third-party vendors’ tools to ensure they are up-to-date with the latest security patches and consider doing it more frequently leading up to and during the holiday season.