The holiday season is not only a busy time for retailers but also presents a myriad of opportunities for cybercrimes to be committed. The November to January months are the retail industry’s most important selling time with sales during this time accounting for almost one-third of annual sales in some categories. According to a recent report, holiday sales for the 2019 season are projected to hit $1.1 trillion and this projected upswing could prove irresistible to cybercriminals.
A retailer can take all the necessary precautions to protect internal networks throughout the season but still be at risk of an attack. Why is this so? Hackers have learned to exploit vulnerabilities in the supply chain to target the weakest link and use it to gain access to the retailer's more hardened networks. Hence, identifying and plugging supply chain security holes in advance of the shopping season is an important part of the pre-holiday cybersecurity checklist.
Behind the scenes, a retailer is rarely working alone. A consumer may shop for and purchase goods on its website, pay for their purchase through a second company and have it delivered to them by a third.
Accomplishing this seamless customer experience requires information sharing and integration between a retailer’s website and the services of each of its vendors. Additionally, the rise of cloud computing means most of these organizations that are part of the retail supply chain, including suppliers, janitorial services vendors, and third-party logistics companies, have placed some or all of their data and digital assets in the cloud.
While cloud providers have taken measures to secure their respective environments, companies in the retail supply chain that have migrated to the cloud have the responsibility to secure their data and applications. Since the retail brand takes on most of the financial and reputational damage should a breach occur due to lax security within the supply chain, it is incumbent upon the retailer to establish and implement policies to ensure their partners’ cybersecurity policies and processes meet industry standards. At a minimum, these partner companies should have defined policies and controls.
In addition, stipulating that companies in the supply chain perform regular vulnerability scans, an annual penetration test, security assessments, and security accreditations should also be considered.
Additionally, the interaction between different parts of the supply chain in an e-commerce company’s systems is often implemented via application programming interfaces (APIs). An API is designed to improve the efficiency of operations by allowing automated interactions between different organizations’ backend systems.
API security can be a serious issue for securing a retailer’s e-commerce supply chain. APIs are often designed for direct communications with “trusted” parties, so they aren't always designed with security in mind. Communications may not be encrypted or may not have adequate mechanisms for authenticating the remote party. If APIs are not actively monitored, an attacker can locate and access these APIs, making them a source of valuable data. Requiring supply chain authentication of APIs is a must as they should also weave security into the overall plan to protect customers’ information.
Taking the time to review and act on these guidelines now will go a long way toward a successful holiday season and will provide a good way to start the New Year.
Learn more about the latest managed security services and consulting to augment your existing security policies and solutions.