Retail is based on three core systems: In physical sites the Point of Sale (POS) systems, in online sites the Order Management Systems (OMS) and in the business back office the Customer Relationship Management (CRM) systems. This is the IT and Operational beating heart of a retail business. Any disruption in these three can make the business stand still, and for big retailers this means a lot of money lost.

The problem in terms of security is that all three systems have natural flows that attackers like:

1. POS is a physical usually mobile end point instrument distributed between hundreds or thousands of the retailers’ employees. They can be lost, used for scams, breached by employees’ identity theft or by software and physical vulnerabilities if not taken care of fast enough on all distributed end points.

2. OMS is exposed in the internet environment outside organizational network buffers (DMZs), and therefore can be breached or used by the attacker using a large spectrum of malign tools to infiltrate the systems.

3. CRM is in many cases a SaaS susceptible also to attacks by a large spectrum of malign tools.   

To make things more complicated in terms of security, in most organizations the three are part of a one supplier suite, and if not, they are heavily connected. And to make a bigger challenge (a) these connections are usually done today in a cloud environment, and (b) AI-based features are added in order to increase sales and customers’ experience.

This means that if you are a big retailer you are both heavily dependent on this POS - CRM - OMS triangle and face possible significant security breaches that can create heavy losses.

That’s why I want to make the diagnosis that POS - CRM - OMS suppliers are not ‘Third Party’, they are the heart of the business and therefore should be viewed as ‘Teammates’. If the attacker is in your POS - CRM - OMS supplier’s network, he practically touches the core of your business: His Security and Business Continuity is yours too.

In such an environment of deep dependencies and even operational and security fusion retailers must be much more vigilant about the relationships with their core system suppliers. This means much transparency, intimate knowledge and staying 24/7 on guard. This may include among other things:

1. Bill of Materials: Retailer should get from his POS - CRM - OMS teammates full account of physical and software lists of components as a base for advanced maintenance and security processes.

2. Protect each other: Retailer should intimately be familiar with his teammates IT and operational operational and security posture, structures, processes and the relevant stakeholders and share information about his own in order to create mutually high awareness to deeply understand routine operations and rapidly identify and alert a deviation from it.

3. Defend with each other: Retailer should think how to maximize cooperation with teammates regarding crucial operational and security processes like identity management, patch and vulnerability management, product updates, DRP, etc. 

4. Mitigate together: Retailer should work with his teammates to increase the oint response to operational mishaps, cyber incidents and business continuity related to them.      

If you identify with my observations, I think you will also connect to the ideas of Rescana. What should retailers do more with their ‘teammates’ and how can Resacana significantly support it: I will elaborate in the next analysis.