When devious young hackers penetrated the computer networks of major U.S. retailers and suppliers earlier this year, it was a significant test of the quiet cybersecurity collaboration happening among some of America’s best-known brands and their much more obscure partners.
Amid increasingly worrisome attacks on life- and safety-critical sectors like energy, water and healthcare, cyber threats facing the retail and hospitality sector often get significantly less attention. But the retail industry is the country’s largest private-sector employer, making its resilience vital to the U.S. economy. And over the years, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) has played an increasing role in protecting retailers of all sizes, from household names to obscure supply-chain linchpins.
The recent retail hacks, which experts have attributed to the cybercrime group Scattered Spider, demonstrated how companies have come together to defend themselves and one another, Pam Lindemoen, RH-ISAC’s chief security officer and vice president of strategy, told sister publication Cybersecurity Dive.
“The retail sector has leaned into collaboration, sharing intelligence, best practices and response strategies,” Lindemoen said.
The breaches linked to Scattered Spider — a notorious and sprawling gang largely made up of American and British teenagers and young adults — hit several retail giants in May and June, including Victoria’s Secret, the Whole Foods distributor United Natural Foods and the department-store chain Belk. As other retailers took note of the intrusions and tried to avoid becoming the hackers’ next victim, RH-ISAC stepped up to support industry-wide security efforts.
“We played a key role in coordinating responses to the threat,” Lindemoen said.
It helped that the ISAC could lean on allies across the Atlantic Ocean who had just finished dealing with their own Scattered Spider attacks. Throughout April, hackers aligned with Scattered Spider breached the department-store chains Harrods and Marks & Spencer and the food retailer Co-op, prompting urgent warnings from British authorities.
Shortly after those attacks, RH-ISAC organized a briefing for its members with threat intelligence experts at Google’s Mandiant division, Lindemoen said. The ISAC also coordinated with British companies to better understand the threat activity in the U.K., which helped prepare the group for when the hackers turned their attention to American retailers.
While Scattered Spider may be a collective of young cybercriminals, it poses a serious threat. The group eschews traditional vulnerabilities, instead relying heavily on social-engineering techniques such as tricking help desk workers into resetting account passwords. Because of their sometimes deep access to target companies’ networks, the hackers have even been known to surreptitiously join virtual meetings that companies convene to plan responses to their intrusions.
The group’s tactics are “a stark reminder of [how], even with advanced technical defenses, the human vulnerabilities can be the weakest link,” Lindemoen said. “Since they’re relying heavily on social engineering to bypass security controls, that just emphasizes that we have to [focus on] layered defenses.”
Suite of cyber defense services
Promoting layered cyber defenses is a major part of the mission of RH-ISAC, which was founded in 2014 in the wake of a wave of cyberattacks on retailers such as Target. (When it launched, it had roughly 30 members; it now has more than 290 “core members,” including hotels, restaurants, retailers and consumer-goods manufacturers). The group facilitates conversations among members about the threat activity they’re seeing, but Lindemoen said it does more than just help companies exchange indicators of compromise.
“Our members are actually sharing playbooks, response strategies and lessons that they learned in real time,” she said.
In July, RH-ISAC partnered with other sectors’ ISACs to publish guidance about combating Scattered Spider. The hacker gang “presents a real threat” and poses “a significant risk to organizations,” the report said.
The ISAC also partners with Google, Microsoft, Palo Alto Networks, and Akamai to provide those companies’ services and expertise to ISAC members. Microsoft has provided threat briefings and offered advice on integrating artificial intelligence into security operations, while Google has offered in-person training and provided threat intelligence. Akamai ran a roundtable on operational technology security and helps track cyber fraud activity, and Palo Alto Networks has helped corporate leaders improve their threat reporting to boards of directors.
Last October, the ISAC launched a program to help boost cybersecurity at companies that supply its members, a move that reflected the acute concerns among retailers and hospitality firms about the vulnerabilities of their supply chains.
RH-ISAC is “very effective,” as evidenced by “their continued growth over the past few years,” said Christian Beckner, vice president of retail technology and cybersecurity at the National Retail Federation. The ISAC’s increasing maturity was a “key factor” in the NRF’s decision to partner with the group on activities like information sharing and the development of anti-fraud resources, Beckner said.
Lindemoen said the ISAC is focused on “helping members learn from each other and strengthen their defenses collectively.”
Like its counterparts in other sectors, RH-ISAC is full of companies that compete vigorously in the marketplace. But Lindemoen said she has been impressed by how companies put business rivalries aside when hackers strike.
“The competitive nature goes away for our sector, and the collaboration comes together,” she said. “I’ve literally gotten phone calls to say, ‘I’m hearing this. Tell them I’m here to help.’ And it’s really awe-inspiring to watch that happen.”
Securing ‘the human element’
That kind of collaboration is important in a sector whose very nature makes it particularly susceptible to cyberattacks.
The people who work at RH-ISAC member companies — the employees who are the first line of defense against criminals like Scattered Spider — are trained to be friendly, accommodating and trustworthy. But that corporate culture, which even employees who don’t interact with customers and guests are expected to maintain, is exactly the environment in which social engineering thrives. Hackers especially enjoy striking during the busy holiday sales season, when overworked retail employees are more likely to let their guards down.
“If you think about who they are as an industry, they’re hospitality people,” Lindemoen said of her group’s members. “So taking advantage of that is what is unique about [attacks on] this sector. They’re taking advantage of the kindness.”
The challenge for cyber experts focused on protecting retail and hospital firms is how to balance warmth and vigilance. “How do you educate your people … and continue to maintain that hospitality, but ask enough questions to make sure that you’re not being taken advantage of?” Lindemoen said. “That, to me, is very difficult for our sector to manage through, with these types of threats that really attack the human element of businesses.”
RH-ISAC itself also faces challenges. As a voluntary information-sharing group, its influence over member companies’ cybersecurity programs is limited. It can encourage best practices, but it can’t enforce them. Some of its members might be more diligent about following its recommendations than others, which could result in a fragmented cyber posture across the sector.
The diversity of the ISAC’s membership will also play an important role in how comprehensively it can help the sector.
Nearly 70% of RH-ISAC’s core members have at least $1 billion in annual revenue, with 13% reporting revenues of more than $20 billion, according to the group’s latest annual report. In ISACs that are disproportionately made up of the biggest companies in their sectors, smaller players sometimes feel like they have less influence over the groups’ work, and the small companies that are left out have less access to cyber guidance. RH-ISAC is also dominated by retail firms (48% of core members) compared to hospitality industries like hotels and casinos (18%) and restaurants (9%).
Particularly in a sector as complex as retail and hospitality, building a diverse membership will be essential to ensuring that the ISAC’s work products reflect the full breadth of business considerations and security issues that exist in the sector.
“The less regulated and more diverse the sector is, the harder it is to reach everyone,” said Michael Daniel, president of the Cyber Threat Alliance, an information-sharing group. “Retail is virtually uncountable. While the size of individual firms in the sector matters, the number of firms in the sector matters too.”
Growing cyber resilience
Still, there are reasons for optimism in a recent RH-ISAC report. Nearly 20% of chief information security officers in the retail and hospitality sector now report directly to business executives, a 12 percentage-point increase from last year. “We’re being integrated into business decisions,” Lindemoen said. “CISOs are gaining influence in this space.”
In addition, business continuity, a key consideration for cyber resilience, jumped to the top of roughly half of respondents’ priority lists. Lindemoen hailed the increased “attention and focus around not just preventing attacks, but also quickly recovering from them, which is essential in this business.”
Major challenges remain for cyber defenders in the sector — including budget constraints and the constant tension between speed and security — but RH-ISAC leaders are pleased with how companies have weathered increasing threats.
“Despite all these high-profile attacks that you’re seeing,” Lindemoen said, “they’re demonstrating resilience.”