Retail and hospitality supply chains are broad and complex, comprising diverse third parties, like logistics providers, suppliers, and vendors. Close collaboration is essential for making supply chains run like well-oiled machines, but tight integration creates new opportunities for cybercriminals.
In 2025, executives will encounter new supply chain cybersecurity threats. By taking action now, you can prepare your organization to stand resilient in the face of modern cyberattacks.
Here’s what to consider:
Who’s the weakest link in the supply chain?
In 2024, 61% of organizations experienced a third-party data breach or cyber incident—up 49% from 2023. Bad actors only need to exploit one weak link to launch attacks on dozens or even hundreds of organizations throughout the supply chain. For both retailers and hoteliers, this means every third-party integration presents a risk.
Pay attention to common ways cybercriminals exploit third parties to reach retail and hospitality organizations:
Ransomware
Last year, 45% of retail organizations were victims of a ransomware attack; hotels were no strangers to high-profile ransomware attacks, either. These threats will continue in 2025 with cybercriminals deploying new tactics to thwart defenses.
Ransomware diversification, for example, enables hackers to carry out multiple attacks at once. When ransomware families split, resulting variants can simultaneously attack different targets and adapt independently to circumvent defenses.
As part of evolving ransomware tactics, attackers are also abandoning file-locking setup. Unlike traditional ransomware attacks, where hackers encrypt victims’ files and restore them in exchange for payments, modern criminals go one step further, outright stealing, leaking, or even destroying data.
PhaaS
Phishing attacks are nothing new, nor is PhaaS (phishing as a service). But new PhaaS platforms are more sophisticated and accessible, making it faster, easier, and cheaper for cybercriminals to deploy advanced phishing attacks on unsuspecting organizations in retail and hospitality.
Whether bad actors attack retailers or hoteliers directly or infiltrate their networks via compromised third parties, new PhaaS kits are more deft at evading conventional cybersecurity defenses. For example, the Tycoon 2FA PhaaS platform recently underwent an update, adding new stealth capabilities that enable hackers to bypass traditional security barriers like MFA.
Outdated Systems
For bad actors who want to attack retailers’ and hoteliers' data-rich networks, third parties are often an easy entry point. Specifically, they seek organizations with vulnerable, outdated systems. For retail and hospitality executives, this means the more you integrate with third parties reliant on outdated systems, the greater your exposure to cybersecurity risks.
Consider, then, the crisis of outdated technology in the manufacturing industry and its effect on retail and hospitality. With less than 60% of companies using SAP, the third-largest Enterprise Resource Planning (ERP)provider, on track to fully migrate to next-generation software by the 2027 deadline, almost half of companies remain vulnerable to cyberattacks. In turn, this creates opportunities for hackers to exploit retailers, hoteliers, and other supply chain partners.
How to Evade Supply Chain Attacks
Retail and hospitality executives can’t stop third parties from falling victim to ransomware or phishing attacks, nor can they accelerate system upgrades. Still, there are practical steps you can take now to bolster defenses against supply chain attacks.
Network Segmentation
Even if bad actors successfully infiltrate a retailer’s or hotelier’s network via a supply chain attack, network segmentation can stop them in their tracks.
By dividing the network into smaller, isolated segments, network segmentation limits a threat actor's ability to move laterally within the network after a breach, reducing the risk of further compromise or damage. For retail and hospitality organizations, this technique can isolate customers’ personal and payment information from other, potentially less secure parts of the network, keeping it out of hackers’ reach should they gain unauthorized access.
Cybersecurity Training
67% percent of leaders believe their employees lack basic cybersecurity awareness, up from 56% in 2023. To stop this trend in 2025, executives can empower teams with cybersecurity education.
Beyond basics like password hygiene and data handling best practices, employees should be trained to identify supply chain attacks. For example, it’s important to learn how to recognize phishing schemes as this is a common way for hackers to jump from compromised third parties to retailers’ or hoteliers’ networks. Training can include spotting suspicious activities, like phony emails, calls, or SMS messages from vendors asking for changes in payment methods or delivery schedules.
Vendor Risk Management
To prevent supply chain attacks via compromised third parties, retailers and hoteliers can take proactive steps to encourage cybersecurity best practices among both current and prospective vendors.
Start by carefully assessing each and every vendor your organization collaborates with or is considering collaborating with. Often, this work begins internally; cybersecurity teams can educate executives before procurement on the importance of vendor risk management and the many businesses, financial, and even legal repercussions of a third-party vendor breach.
Then, conduct regular vendor risk assessments to evaluate vendors’ cybersecurity postures, including their incident response plans, data encryption practices, and standards compliance.
Collaborate with Industry Partners
Third parties can certainly introduce new supply chain risks, but they can also provide support.
By joining industry groups, like RH-ISAC, you can collaborate with other retail and hospitality organizations to share cyber intelligence, benchmark your security practices against peers, and work together to solve new challenges to develop better security for all.