Cyber-attacks on the rise in supply chains
When planning a data breach, hackers are eyeing a new point of entry.
Two-thirds of surveyed organizations experienced a software supply chain attack in the past 12 months, according to Securing the Supply Chain.” a study from CrowdSource.
Nearly 80% of IT security professionals across the United States, Canada, U.K., Mexico, Australia, Germany, Japan, and Singapore believe software supply chain attacks have the potential to become one of the biggest cyber threats over the next three years. Yet, few organizations are prepared to mitigate the risks, the study reported.
The vast majority (87%) of those that suffered a software supply chain attack had either a full strategy in place, or some level of response pre-planned at the time of their attack.
One issue is that 71% of IT professionals believe their organization does not always hold external suppliers to the same security standards, and only 37% of respondents in the U.S., U.K., and Singapore said their organization has vetted all suppliers, new or existing in the past 12 months. Only a quarter believe with certainty their organization will increase its supply chain resilience in the future.
Most respondents (90%) confirmed they incurred a financial cost as a result of experiencing a software supply chain attack. The average cost of an attack was over $1.1 million dollars, according to the study.
Following last year’s NotPetya attack (encrypting ransomware and malware that targets Microsoft Windows-based systems) and newly imposed General Data Protection Regulation (GDPR) guidelines for the collection and processing of personal information of individuals within the European Union (EU), organizations are more concerned about vetting their suppliers and partners. In fact, 58% of senior IT decision-makers whose organization has vetted software suppliers in the past 12 months stated that they will be more rigorous when evaluating their partners. Nearly 90% agree security is a critical factor when making purchasing decisions surrounding new suppliers.
Although almost 90% of the respondents believe they are at risk for a supply chain attack, companies are still slow to detect, remediate and respond to threats. On average, respondents from nearly all of the countries surveyed take close to 63 hours to detect and remediate a software supply chain attack, while the leading organizations aim to eject an adversary in less than two hours, also known as “breakout time,” according to prior CrowdStrike research.
However, the study indicates that organizations are looking to adopt leading approaches to breach protection such as behavioral analytics, endpoint detection and response, and threat intelligence. Three quarters of respondents already use or are evaluating these technologies.
“Fast-moving, advanced threats like supply chain attacks require organizations to adopt new best practices in proactive security and incident response,” said Shawn Henry, president of CrowdStrike Services and chief security officer. “The new attack methods we see today call for coordinated, efficient and agile defenses.”
Specifically, this includes a combination of endpoint protection technology, expert services, and intelligence to uncover critical investigation information faster, accelerate incident response, and enable companies to get back to business as quickly as possible, the study added.
NRF in new retail training program
The National Retail Federation is targeting job seekers and entry-level workers with its latest training initiative.
The National Retail Federation is teaming up with Penn Foster, a global provider of skills development and training, to launch a partnership with the NRF Foundation to deliver Retail Industry Fundamentals, a training and credentialing program. The new program is part of the Foundation’s Rise Up (retail industry skills & education) initiative. Penn Foster will deliver the training and credential using self-paced, mobile learning technology.
“With more job openings in the United States than unemployed workers to fill them, creating a skilled workforce ready and able to secure meaningful employment in the retail industry is more important than ever,” said Ellen Davis, president, NRF Foundation, which is the philanthropic arm of the NRF. “Our new partnership with Penn Foster will give job seekers and entry-level retail associates across the country online access to our Retail Industry Fundamentals training and credential, helping them gain the skills and confidence needed to secure retail jobs.”
The new Rise Up program, which includes training in customer service, sales and merchandising, and workplace safety, is designed to give entry-level workers a strong foundation for future success in the industry. Developed with the support of leading retailers across the country, the 10-hour curriculum includes interactive exercises designed to engage learners and enable self-assessment through flashcards and self-check questions.
Target Q&A delves into equal pay
While the issue of equal pay among genders, ethnicities and races remains a hot topic at companies across the retail industry, Target is facing the issue head-on.
The discounter has been dedicated to pay equity for nearly a decade, and the company’s latest pay audit of U.S. team members confirmed that Target’s efforts are right on the money. Taking into account relevant factors, such as position, tenure and location, the audit revealed that Target pays — as well as hires and promotes — team members equitably, regardless of gender, race or ethnicity.
In a Q&A posted on its website, Stephanie Lundquist, Target’s chief human resources officer, discussed the practice, and what it means for the company. Here are some highlights:
Providing equitable pay is a big achievement. How did Target do it?
It’s a big job that’s taken conscious effort, including lots of routines we go through regularly with the team. For example, we provide training and tools to the people responsible for hiring and compensation decisions to reduce the risk of bias — whether that’s conscious or unconscious — affecting decision making.
We’ve gotten rid of questions about prior salary from most external hiring situations so that we don’t perpetuate previous pay gaps for qualified job candidates. And we regularly conduct comprehensive pay audits to make sure that pay is fair and equitable across the team. That’s in addition to the overarching work we do to make sure every team member is treated fairly across all dimensions of difference.
How does Target calculate or define pay equity?
Our audit process follows leading industry standards, and we’ve worked with experts in statistics and employment law to design and manage it. In general, we analyze pay by grouping individuals together using objective factors including level, experience, job type, and market, among others and then look for and address any unintended pay gaps among these smaller groups.
Big picture, how does this work support Target’s strategy?
We have a broad spectrum of guests across the country, and depending on who they are, where they live, and so many other factors, they look to Target for many different kinds of products and experiences.
Our teams are out there every day running our stores and facilities, selling our products and interacting with guests. It’s so important that our team member population reflects the diversity of our guests so they can share their insights on important business decisions and make every interaction and solution more relevant.
Simply put, a diverse and inclusive team is a better team, so when we build our teams through equitable treatment, including equitable pay, we ultimately build a better Target.
For the complete Q&A, click here.