Cybersecurity

Retailers confront a growing risk of cyberattacks

Best practices to integrate software supply chain security into a broader strategy
Cybersecurity
Christian Beckner
VP, Retail Technology & Cybersecurity; Executive Director, Center for Digital Risk & Innovation

In late 2020, numerous U.S. government agencies and private-sector companies were breached as a result of a hack of software deployed by the IT services company SolarWinds. According to U.S. government reports, hackers affiliated with Russian intelligence inserted compromised code into a software update of SolarWinds, which was pushed out unwittingly to thousands of the company’s customers. Russian hackers were then able to use their inserted code to steal sensitive information from a group of agencies and companies that were among SolarWinds’ customers.

NRF PROTECT 2022

Learn more about loss prevention in the retail industry at our annual NRF PROTECT event this summer.

The incident further focused attention on the risks of software supply chain attacks — cyberattacks that target third-party software and services used by companies, in contrast with direct attacks on companies’ internally managed IT systems.

Note that “supply chain” here has a different meaning than the commonly understood meaning in retail related to logistics and transportation. Software supply chain security is primarily about the security of software code — traced back to its original sources — used by an entity and its third-party service providers throughout the full development and deployment lifecycle.

SolarWinds is not the only recent example of a software supply chain attack. Numerous other high-profile incidents over the past year have involved IT services companies such as Accellion, Codecov and Kaseya, affecting hundreds or thousands of companies, including retailers in many countries.

Policymakers have recognized the seriousness of this growing software supply chain threat: The Biden administration’s May 2021 cybersecurity executive order included provisions focused on improving software supply chain security, including by establishing new baseline standards for software companies to follow if they want to continue to sell to the federal government.

Big Show 2022

When these software supply chain attacks have occurred, much of the public attention has focused on the software end users who were compromised, even though they were not the original source of the incident. And companies that have been affected by software supply chain attacks have faced legal and regulatory actions, as if the attack were a breach of their own internal systems.

Given these growing risks, it is critical that retail companies make software supply chain security part of their broader cybersecurity strategy, taking steps throughout the software development lifecycle to ensure they are carefully assessing and monitoring risks with respect to their third-party software vendors.

It is not an easy challenge: A medium-sized or large retailer might have hundreds — if not thousands — of third-party systems operating within its IT enterprise, many requiring privileged access to company information to operate effectively.

With these challenges in mind, how can retailers better address software supply chain security risks? In early October 2021, NRF held a member webinar featuring PwC and Microsoft to discuss these issues and highlight best practices companies can adopt to reduce software supply chain risks. Experts from the two companies highlighted several best practices, including that:

  • Companies should establish clear governance processes with respect to managing software supply chain risks, defining clear responsibilities and involving leaders from numerous business functions, including information security, procurement, legal and business operations.
  • Companies should implement change and configuration management processes on assets and information accessed or managed by third-party service providers.
  • Companies should implement a secure development lifecycle to ensure that third parties are applying security controls and following secure coding practices
  • Companies should consider adoption of a software maturity framework (like NIST’s Secure Software Development Framework) and implement key security practices, including technical testing and controls assurance, among others.

A recording of the webinar is available for NRF members on NRF On Demand here.

NRF held the webinar as part of its broader commitment to help the retail industry address cybersecurity challenges — a commitment it fulfills through the ongoing dialogue within its IT Security Council, through its cyber threat-sharing portal (the NRF Cyber Risk Exchange), cyber-related content at events like NRF PROTECT, and engagement and advocacy on cyber policy issues. If you are interested in learning more about these activities, reach out to NRF at cybersecurity@nrf.com.

Related content

Loss Prevention
Strengthening retail risk management and resilience through collaboration
 
Individuals at NRF PROTECT.
The NRF Retail Law & Risk Workshop brings together retail legal, risk management and security teams for discussion.
Read more
Loss Prevention
Connect and collaborate to combat retail enterprise security risks
 
Christian Beckner and Nitin Natarajan speaking at NRF PROTECT.
Stay informed, exchange ideas, form alliances and uncover the latest tools at NRF PROTECT.
Read more
NRF Retail Law Summit
EEOC General Counsel says personal experience led her to career fighting discrimination
 
A shopping cart and gavel symbolizing retail law.
Karla Gilbride joined legal experts at NRF Retail Law Summit to discuss the unique legal challenges for retailers.
Read more
Cybersecurity, Loss Prevention