i3 | January 04, 2021

Protecting the Retail Supply Chain

It starts like a traditional cops-and-robbers story, but with digital lingo:

“Cybercriminal groups began to cooperate with one another, chaining crimeware and ransomware infections as part of ‘big game hunting.’”

Next comes a description of “a small subset of new threat groups and malwares” and “the professionalism of the cybercriminal value chain.” The tale includes gangs of “the usual suspects” and a “broader cybercriminal ecosystem,” plus “malicious insiders.”

But this is no crime novel thriller. Nor is there any neat resolution, since the final pages are still being written. This is the pedantic — and terrifying — retail 2020 Threat Trend Report from Accenture Security and the Retail & Hospitality Information Sharing and Analysis Center. In one of the most dramatic real-life scenes in the report, the Accenture Cyber Defense team discovers a “malicious mailbox” invasion in which the crooks tapped into the email box of an executive of a large retail chain. The villains focused on emails dealing with the company’s financial transactions, with the goal of payment diversion, executive impersonation or insider trading. Accenture, citing the threat to a “robust supplier network with high-dollar payments,” noted that such attacks “have been successful in stealing funds from every industry” with losses growing every year.

By the time the stories end, there are recommendations for protective procedures to stave off the growing array of cyberattacks, but no happy denouement. Accenture — like other analysts — expects that the bad guys will continue to find inventive ways to attack the retail industry’s activities in ecommerce, traditional retail store operations and the supply chain process from manufacturers and their vendors.

Other reports examine the growing cybersecurity threats during the COVID-19 era, which has seen the simultaneous expansion of remote working and of ecommerce. Evolving business practices during the pandemic have required new ways to deal with supply chains, adding international intrigue plus potential cyberattack vulnerabilities.

“Given the interconnected nature of supply chains and increasingly seamless digital commercial ecosystems, one or more types of business, even the very small, could be the weakest links in the chain,” explained Oliver Wyman, a global management consulting subsidiary of Marsh & McLennan Companies. “Smaller and medium-sized enterprises, [which] often lack sophisticated capabilities, are particularly vulnerable as they pause business-as-usual activities.”

“Retail is more vulnerable to cyberattacks due to the nature of its online traffic and the design of its ecommerce websites,” Oliver Wyman concluded. It cited the contradictory challenge of making online shopping a “pleasurable experience” while maintaining robust security. “This reticence increases the likelihood that a retailer will be a prime target increasing the need to act now to implement cybersecurity best practices.”

Retail is more vulnerable to cyberattacks due to the nature of its online traffic and the design of its ecommerce websites.

Oliver Wyman

Recognition and Response

The National Retail Federation’s 2020 Retail Security Survey came to similar conclusions offering defensive ideas for protection. Stores and chains have revved up their focus on ecommerce crime and cyber-related incidents, such as data breaches, to considerably higher priorities than they were five years ago, according to NRF. Retailers have also bumped up the importance of long-standing problems, such as internal theft (“pilferage”) and return fraud — both of which have become significant problems in the cyberworld as well. In the evaluation process, NRF has developed a roster of defense tactics.

The NRF study found that retailers are “devoting more resources to fight” cybercrime, including top priorities for remote monitoring technology, upgraded point of sale (POS) systems and refund history tracking programs. Stores are also revising and updating risk management planning, risk/vulnerability assessments and other security improvements.

Business analysts contend that COVID-19 has further encouraged retailers to reexamine their supply chain processes by, for example, evaluating their sourcing procedures, to make sure they are not solely reliant on single-source factories in Asia. CTA’s recent report on supply chain, The Balancing Act: How SMEs Are Adjusting Their Supply Chains To A New Normal, advises SMEs develop a single source of truth by collaborating more with suppliers, manufacturers, and employees, tweaking ERP systems, and increasing data-sharing. Such decisions may require new thinking about data transparency. Experts suggest that access to data will encourage more resiliency in supply chains and that technology is the only way to assure such visibility. But others fret that more open sharing of data threatens security lapses.

Studies at BlueVoyant, another security management firm, examined the dangers of third-party relationships. BlueVoyant’s report, Supply Chain Cyber Risk, quotes Goldman Sachs Board Director Phil Venables, who says, “It is very important to review the security of your vendors before you engage them, to make sure they are capable of meeting your needs or otherwise enhancing their controls before they are onboarded.”

Venables, who is also senior advisor of risk and cybersecurity, adds, “It is equally important to establish an approach of continuous monitoring to help assure that such control continues to be in place over the life of the engagement.” Based on that outlook, BlueVoyant recommends that companies build extended cybersecurity relationships with partners in their supply chains.

“Drive supplier risk-reduction activity by building constructive support for suppliers into your third-party cyber risk management program,” the BlueVoyant report concludes. “Alert the vendor when new risks emerge and provide practical steps for them to follow to solve the problem.”

Identifying Solutions

Technology retailers face security challenges on several levels, says Mike Bergman, CTA’s vice president of technology and standards. He cites three security challenges for retailers:

Secure enterprise operations to prevent fraud or data theft.
Secure connected (smart home or home office) devices to handle ongoing internet access safely.
Protect consumer privacy in data handling and policies.

Security is now a significant factor in connected products — and increasingly the companion services — retailers sell, whether intended for smart home, smart vehicle or any new digital application, Bergman says. In addition, tech retailers depend on security in devices, the cloud or elsewhere provided by the manufacturer, especially if the device links back to a supplier’s control. And like other retailers in this increasingly interconnected environment, technology retailers rely on security in the transaction processing phase of the sale, whether it’s a point-of-sale terminal in the store or an online sale.

Bergman points out that some solutions are coming from the top of the supply chain. Manufacturers—particularly those with attractive ecosystems or cloud-based services—have developed security requirements for 3rd party products that connect to those ecosystems or clouds. Apple, Google, Samsung, Comcast and other companies are working on various approaches to such full-scale cyber-safe systems, Bergman notes. He adds that CTA is working with members’ cyber experts, with other industry associations and coalitions, and with the Department of Homeland Security, the Department of Commerce’s National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST), and others, to build pathways toward industry-wide solutions.

“It takes a lot of cooperation on many fronts,” Bergman says. “It’s more complicated than one unified effort.” Equally important is consumers’ growing expectation for high “quality,” which includes constant predictable results when using a connected device. To deliver that level of quality, every part of the digital supply chain must include security, he adds.

Fighting Back

Security analysts agree that it is “time to rethink” the underlying supply chain resilience. While blockchain and other digital technologies are cited as potential security solutions, other approaches for secure protections in the new ecosystem are also surfacing. From advisory organizations to the Federal government, countless recommendations have emerged to encourage and ensure cybersecurity procedures for businesses of all sizes.

For example, CISA (the Cybersecurity and Infrastructure Security Agency within the U.S. Department of Homeland Security) has issued an ongoing stream of protective recommendations. CISA has put the emphasis on securing High Value Assets (HVA), which will be defined differently at various organizations. The one constant HVA is “information or an information system that is so critical to an organization” that the loss or corruption of this information or access to the system could ruin an organization.

CISA has issued operational guidance directives that companies can use, outlining recommendations to identify and prioritize HVAs in order to build an assessment of risks and weaknesses throughout a supply chain. The recommendations are available from the CISA website.

Oliver Wyman, the management consulting firm, adds several steps that retailers can take to mitigate cyber risk. It recommends quick implementation of safeguards such as employee training, including “vigilant monitoring” of data flow and use within the company. Retailers should also embrace the “mobile wallet payment trend” since this process is “notably more secure than traditional” credit card payments because it doesn’t expose actual account details that could be compromised, the firm explains.

Agreeing with this approach is Mohamed Abdelsadek, executive vice president of North America services for Mastercard. He believes in “connected intelligence” as a process to secure transactions “without creating unnecessary friction for consumers and enabling a data collaboration approach between merchants and issuers.” He envisions a “digital environment secured through a layered approach that protects the environment and the customers before, during and after the payment transaction.”

“The next few years will be critical for retailers to establish a secure digital environment for consumers to interact and shop.” Abdelsadek explained in an NRF publication. “While the threats might not be very different to what we are exposed to today, the amount of traffic online and the human factor will be critical to establish a secure digital ecosystem.”

He expects to see new projects, such as “cyber hygiene” programs for employees, new safeguards for customer data and frictionless secure experiences, including contactless payment cards at point-of-sale terminals.

“The U.S. market is now dramatically accelerating in contactless adoption,” Abdelsadek explains, noting that the acceptance pace has increased since the pandemic was declared. He called the tap-and-go process a fundamentally “different payment experience for the cardholder,” part of an evolution toward tokenization of the payment process.

His outlook for one section of the complicated retail cybersecurity tale offers hope for a happy ending to the supply chain and customer-interface thriller.

“Retail is more vulnerable to cyberattacks due to the nature of its online traffic and the design of its ecommerce websites.”

Cybersecurity challenges will be discussed at CES 2021 as more companies transition to cloud computing.

CTA SEEKS A PUBLIC/PRIVATE CYBERSECURITY PLAN THAT PROTECTS INNOVATION

The U.S. Department of Commerce has been exploring a process for “Securing the Information and Communications Technology and Services (ICTS) supply chain, which involves existing and evolving systems, and devices, such as 5G and other wireless technologies. In its comments about the proposal, CTA has urged the government to adopt a targeted public/private, “risk-oriented approach” that focuses on threats to the ICTS supply chain. CTA notes that any government action “could have significant long-term effects in the market for all ICTS providers,” characterizing it as a $5 trillion global market, likely to surpass $6 trillion in 2022. CTA says it seeks to avoid the looming threat of rules that would have “a chilling effect on U.S. innovation and technology investment.”

In similar comments for a Federal Communications Commission proceeding on “Security Threats to the Communications Supply Chain,” CTA explains its co-leadership of the Council to Secure the Digital Economy (CSDE), a group of more than a dozen major ICTS companies involved in communications infrastructure security and the connected products ecosystem. The CTA-hosted project known as “Convene the Conveners” or “C2,” has identified baseline security capabilities that will affect the worldwide supply chain. Engineers will find these ‘baseline’ capabilities detailed in CTA’s recent technical standard CTA-2088. In comments CTA filed with the Department of Commerce on “the National Strategy to Secure 5G Implementation Plan,” CTA said that the best approach to security “should rely on consensus standards and multi-stakeholders that allow the private, public and international sectors to collaborate and drive security innovation at scale.”

Subscribe to i3 Magazine

I3, the flagship magazine from the Consumer Technology Association (CTA)®, focuses on innovation in technology, policy and business as well as the entrepreneurs, industry leaders and startups that grow the consumer technology industry. Subscriptions to i3 are available free to qualified participants in the consumer electronics industry.