What can the retail industry learn from the SPAR cyberattack?
Last month, more than 300 of the James Hall-supplied SPAR stores were hit by a cyberattack so severe that many had to temporarily close their doors to customers. These closures were a result of whole IT system failures, with some stores unable to process card payments. Alongside the payment disruption, wholesale ordering functions and manufacturing operations at the James Hall depots were affected. This attack on SPAR’s infrastructure is just one of many that the retail industry has seen in recent years, such as the attempted hack on Tesco and the Fat Face data breach. But what has this taught us about the current threat landscape? And what can retailers, along with all other industries, learn from this particular attack?
It’s all about network architecture
The attack on SPAR is particularly interesting given the franchise structure of the organisation. While we do not know the full details, it is likely that the hackers targeted HQ servers and moved laterally across the IT systems in each branch – travelling from the corporate network through to the credit data environment to disrupt payment processes. For a business to protect itself from this kind of movement, NetOps teams should always avoid developing a flat network architecture and instead implement well-defined separation policies. This can be the difference between a single compromised device and a breach that shuts down an entire organisation.
Cybercrime is going beyond stealing information
Like much of the cybercrime we have seen over the last 12 months, the attack on SPAR was confirmed as ransomware. It is no accident that the shared services targeted by the SPAR hackers were payment processes. Cybercriminals will want to cause as much pain as quickly as possible to ensure they get the financial reward, so shutting down Operational Technology (OT) until money is paid is a smart and sinister way to deploy ransomware. We’re increasingly seeing instances of cyberattacks affecting the physical environment too, and not just in the retail world. In healthcare, the proliferation of the Internet of Medical Things (IoMT) means that criminals can hack and affect life-saving OT. It proves that criminals are going beyond stealing information and are willing to intentionally shut down critical infrastructure to cause the most damage.
Supply chain security needs to be a top priority
Most large organisations now understand the importance of a strong security strategy. However, this also means hackers will start searching for new ways in and this attack highlights how criminals are leveraging back-door entrances through the supply chain. Rather than hit SPAR directly, it was James Hall as the third-party supplier that became the weak link. To mitigate these dangers, it is essential that organisations understand the risk of working with third parties and ensure that well-defined security policies and frameworks such as ISO 27001 are put in place. Liability around breaches must also be contractually agreed, and businesses should look to implement regular penetration testing to protect their networks as well as demonstrate their due diligence.
The solution is an ‘always on’ Security Operations Centre
After the attack, James Hall and SPAR had to dust off their playbooks and look at their recovery techniques and backups strategies. While it is essential to have those back-ups in place, the reality is that a Security Operations Centre (SOC), monitoring for attacks day and night, would have mitigated the risks of the breach. The biggest lesson retailers, grocers and all sectors can take from this attack is that it’s not the case of ‘if’ a business will be attacked, but ‘when’. With a SOC in place however, SecOps teams can spot the attack before it becomes critical.
If you’re looking into how you can better protect your business, get in touch with us. We have some of the highest qualified security professionals in the country ready to help you take your first step to safeguard your organisation.