Thieves and fraudsters continue to invent new scams that threaten retail supply chains, even when organizations are following supply-chain security best practices. Security firm Check Point, for example, reported on a Spring 2017 discovery of malware, adnets, spyware and even ransomware that had been installed on at least 36 Android devices when they were still in the supply chain. The devices were from numerous manufacturers, including Samsung and LG. The worst malware discovery, a malicious virus known as Loki, is a suite of bad software is built from multiple components, each with its own functionality intended to damage files and programs.
True, Check Point’s report could partly be construed as an indictment of Google’s Android operating system. However, the fact that some bad actors can install malware on devices somewhere in the supply chain would seem impossible. But it happened.
So how does any company maximize their supply-chain security best practices? Here are some tips offered in a recent webinar on supply chain risk by Microsoft:
Perform thorough vetting of all service providers, suppliers, and products. Organizations should only work with suppliers that hire vetted personnel, and they also need to vet anyone who may have access to sensitive company information. In addition, it’s crucial for companies to ensure the security of all technologies they employ in their day-to-day operations, whether via their own IT personnel or a third-party vetting process.
Put security controls in place and establish contractual penalties. In order to follow current supply-chain security best practices, organizations now need to ensure that regular security audits are being made and that stringent security controls, such as privileged access, are put in place. Vendors or service providers who fail to abide by those security requirements should face contractual penalties.
Find a balance when diversifying providers. As an organization builds or updates their set of supply-chain security best practices, it’s important to keep in mind that every other company follows a different set of standards when it comes to logistics security. Some degree of diversification is favorable since it helps organizations to avoid having just one single point of vulnerability.
Take advantage of industry and government partnerships. Sharing threat intelligence and creating benchmark data and standards are two ways in which supply-chain security can be bolstered.
Establishing a comprehensive set of supply-chain security best practices is a process. Vetting, security controls, diversification, and partnerships with industry and government are always ways that organizations can strengthen the security of their supply chains. But, like most IT strategies, securing suppliers is an ongoing effort. The whole process should be reviewed regularly.
While it’s true that many retail loss prevention professionals don’t get deeply involved in supply-chain security planning, we need to understand as much as we can about all the components of security and loss prevention. Because you never know.
This post was originally published in 2017 and was updated December 20, 2017.