Knowing and securing your retail software supply chain is critical in the fight against cybercrime
If you were a hacker, how would you wreak the most havoc possible?
Mass phishing? Targeting critical infrastructure? Perhaps. Or maybe you’d choose to attack a software supply chain that provided access to hundreds, maybe thousands, of businesses. An attack on a single vendor that has supplied software to many organisations attacks all its customers simultaneously.
This is the story of the SolarWinds hack of 2020. Attackers deployed malicious code into the company’s Orion IT monitoring and management software, attacking thousands of its customer enterprises and government agencies worldwide. It made for arguably the biggest cyberattack in history, but certainly not the only successful supply chain hack.
If you think it’ll never happen to your organisation, think again. New BlackBerry research revealed that 4 in 5 IT decision makers have been notified of an attack or vulnerability in their supply chain in the last 12 months. For the retail sector, a functioning supply chain is the beating heart of the business and a focus for software innovation and investment.
The issue may be trust; too many businesses trust their vendors have security covered, so don’t implement adequate protection to secure supply chain software connections. Indeed, the UK government’s Cyber Security Breaches Survey 2022 found that just one in ten UK businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 7%.
It proves we can’t afford to be so relaxed. Security must go far beyond vendor trust.
Why supply chain attacks are so fatal
Software supply chain attacks are among the most destructive strategies used by cybercriminals today.
Six in ten (59%) of companies that have suffered a supply chain attack reported significant operational disruption, according to the research by BlackBerry. 58% reported data loss, and 52% reputational impact. Nine out of ten organisations (90%) took up to a month to recover. In retail, time is money – so being hit by a software supply chain attack is an expensive experience.
These attacks wreak havoc because much of the software created and sold today is based on open source code, which can easily be compromised due to its public availability. Vendors should, of course, check it – and research shows that IT teams believe they do; many are confident that their supply chain partners have policies in place of at least comparable strength to their own.
But amid a chronic cybersecurity skills gap around the world, can an organisation guarantee this due diligence? Perhaps not.
Securing a software supply chain against attacks requires knowing what elements in your system have the potential to be attacked. More than three-quarters (77%) of those BlackBerry surveyed said that, in the last 12 months, they discovered previously unknown participants within their software supply chain — entities they had not been monitoring for adherence to critical security standards. This means that malicious lines of code can sit in blind spots for years, ready to be exploited when the attacker chooses.
The National Cyber Security Centre (NCSC) recently encouraged organisations to work with suppliers to “lock shields” and boost resilience to attacks. It’s a great initiative, but even these conversations are merely the preface to an active cybersecurity stance that helps businesses protect themselves. No company is an island – but vigilance begins at home in preventing software supply chain attacks.
What can be done to prevent software supply chain attacks?
Act now! Businesses need a complete, granular view of all potential network and endpoint vulnerabilities in order to predict, prevent, discover, and respond to attacks - whether direct attacks upon a business, or those coming through the software supply chain. An Extended Detection and Response (XDR) tool is a wise option to enable this. By collecting and analysing data from multiple sources, XDR gives the visibility and proactive action to prevent attacks that organisations need - 24/7, 365 days a year. However, new data shows that more than three-in-four IT and cyber decision-makers currently report a lack of holistic visibility into their security posture. Change needs to take place: in the current, heightened threat landscape, a prevention-first approach to all attacks, regardless of their origin, is vital.
Across industries, companies are struggling against a cyber skills shortage. But, in the event of a cyberattack, technology like XDR – and particularly when it comes as a managed service - can significantly speed up response and remediation, meaning security teams can focus on critical roles such as activating Critical Event Management systems and engaging with outsourced Incident Response teams if an attack strikes. Closer, quicker collaboration tends to secure a far better result.
Trust in yourself – but don’t shy away from support
The threat of cyberattacks through the software supply chain remains imminent. As such, retail organisations must be planning their prevention and response strategies now.
It’s true that businesses should put their trust in themselves to keep their software safe from hacks – but there’s also no need to become overburdened. Solutions based on the AI technology, backed by professional support on call 24x7 can re-establish confidence in a secure software supply chain.
After all, who would you rather be? One of thousands of companies all hacked at once, or the company that stands its ground with a prevention-first approach in the face of highly sophisticated attacks?
To find out more about BlackBerry and the services they provide to the retail industry, click here.
This article was also published in The Retailer, our quarterly online magazine providing thought-leading insights from BRC experts and Associate Members.