- In an increasingly digital world, supply chain cyberattacks are growing in number and severity due to their scalability.
- A zero-trust approach could help increase supply chain resilience in the face of such attacks.
- By boosting the cybersecurity of each individual company in a supply chain, this method could help to secure these growing global trading networks.
Supply chain cyberattacks are expected to quadruple in 2021 versus last year, according to the European Union Agency for Cybersecurity (ENISA).
These attacks are becoming particularly attractive to cybercriminals because of their scalability. An attack on US software firm Kaseya in July 2021 affected up to 1,500 businesses across the globe. In Sweden alone, almost 500 supermarkets were forced to close when their checkouts stopped working as a result of the attack.
Have you read?
This kind of “one-target, multiple-victims” scenario has turned supply-chain attacks into a lucrative business model for hackers, particularly when coupled with ransomware. The hackers who claimed responsibility for the Kaseya breach demanded $70 million to restore all of the affected businesses’ data.
Given the general increase in digital interconnectedness, this trend is rather dangerous. A company’s security no longer depends solely on its own resilience. A vulnerability in a third party’s products or systems may create an entry point into the entire supply chain for cybercriminals. This means you can no longer simply trust that your vendor is cybersecure — you need to verify it. But how?
The zero-trust approach
Rather than assuming that a company or product you are dealing with is secure, a zero-trust approach requires verification for all assets, user accounts or applications — the authentication for their access to your systems must be approved. Even users within your own technology infrastructure must confirm their data every time they request access to any resource inside or outside the network.
Experts at Cyber Polygon 2021, an international online conference and cybersecurity training event held last July, discussed how to increase supply chain resilience using this kind of zero-trust approach. The training was also devoted to repelling a simulated supply-chain attack. These expert discussions and exercises led to three key conclusions about why using zero trust to protect supply networks makes sense:
1. What if your vendor pays insufficient attention to cybersecurity?
The vendor you deal with might miss something in building its cybersecurity system or underestimate the importance of secure development of products and services. This may lead you to unknowingly install vulnerable software or, in the case of an unreliable cloud service provide, expose your organisation to data leaks.
To minimise these risks:
- Verify a vendor’s compliance with cybersecurity standards before applying for its services or signing a contract for software development. Remember to stipulate liability in the contract in the event of security incidents.
- When outsourcing software development, carry out regular quality assurance, particularly when updates are released.
- Engage independent experts to audit the security of the developed software and products.
- Introduce solutions for continuous security monitoring of the applications. In the case of a cloud service provider, you should also require additional control mechanisms such as monitoring of sessions and sources of entry, as well as auditing of sessions.
2. What if your vendor places too much trust in other third parties?
A supply chain is a multilayer structure so your vendor may be working with other third parties and relying on their resilience without verification. If even one of these entities has a low cybersecurity level, it could become the point of entry into the whole supply chain.
A zero-trust approach can help to reduce this risk by:
- Requiring secure and confirmed access to all the resources. Every time a user accesses an application or a cloud storage, reauthentication is required. In fact, each attempt to access the network is regarded as a threat until the opposite has been proved.
- Using the least-privilege model, which limits each user’s right of access to data to the minimum level necessary to perform their duties. This prevents a cybercriminal from reaching large datasets through one compromised account.
- Analysing the logs or history of events and their sources in your applications and recording anomalies in special software. This will help to reveal the threats in your network and identify the chain of events after an attack.
3. What if you are contacted by a criminal posing as your vendor?
One of your employees may receive an email that seems to be from your vendor, but is actually a phishing email from a criminal. Corporate accounts continue to be one of the most tempting targets for cybercriminals, and phishing has become the main method to deliver ransomware infections into companies.
We have found that 7 out of 10 sales representatives fall for cybercriminal tricks when we simulate phishing attacks on our clients for training purposes. So, even advanced software solutions may not be enough to secure the company if employees open the doors to intruders. Requiring employees to verify all incoming mail can substantially minimize this risk. Our research shows, a 9-fold reduction in employees rising to the bait after companies have been conducting phishing drills for two years.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.
Our community has three key priorities:
Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.
Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.
Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.
Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.
The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.
For more information, please contact us.
The potential financial gains from supply chain attacks provide significant motivation for today’s cybercriminals. As a result, supply chain security is a crucial issue for the digital community to address.
The zero-trust method can considerably increase the resilience of each individual company in a supply chain, bringing more stability to these growing networks. By verifying vendors and every other element inside and outside the system, as well as providing regular training in this method to employees, it is possible to overcome this challenge.