Mike Beevor gives his expert advice on building a resilient supply chain in the face of growing cyberthreats.
Retailers depend on their supply chain network to ensure shelves are fully stocked and customers are spoilt for choice. However, cybercriminals have become increasingly aware of the importance of these supply chains and are exploiting vulnerabilities.
Major high-street names such as the Co-op, Harrods and M&S all recently fell victim to system breaches, with the latter anticipating £300m in lost profits and disruptions to services lasting months.
The hackers behind the M&S ransomware attack are believed to have gained access via a third-party system, with social engineering tactics used to deceive unsuspecting employees and obtain login credentials.
It is clear that action must be taken to ensure retail operations remain resilient to external threats of this nature. Irrespective of supply chain complexity, steps can be taken to enforce security and mitigate the risk of data breaches.
Choose the right partners
In the context of supply chains, you’re only as strong as your weakest link.
The existence of vulnerabilities or misconfigurations can be easily exploited by cybercriminals as an entry vector to business-critical systems.
To mitigate the risk of third-party vulnerabilities, it is imperative that retailers conduct stringent vetting of the vendors and suppliers they are looking to work with.
A huge misconception when it comes to supply chain security is that the shared-responsibility model absolves retailers of culpability if a third-party breach occurs.
Accountability always lies with the retailer, and it is integral that partners comply with regulatory guidelines and maintain robust cybersecurity standards.
Vendor risk assessments provide a question-and-answer format to help retailers gauge which partners are a suitable fit based on their risk score. By prefacing any signed contract with a robust vendor risk assessment, retailers can safeguard the supply chain by ensuring that the same cybersecurity standards are exhibited across all partners, vendors and third parties.
In terms of continued compliance, suppliers should be able to provide copies of their latest security audits and be willing to co-operate with security questionnaires.
Account for all APIs
It may sound straightforward, but mapping out the supply chain is integral to enforcing supply chain security. Having a blueprint of the entire logistical operation provides retailers with the safety net that every supplier, manufacturer and distributor is accounted for.
It is often the case that third parties will operate using different systems, potentially leading to incompatibilities that disrupt the exchange of data via APIs (application programming interfaces).
By preparing a detailed plan of the supply chain, retailers can acknowledge systemic differences and help enforce data standardisation across touchpoints, ensuring the flow of secure data across the supply chain.
Because supply chains consist of millions of APIs, some of which are publicly accessible over the internet, security needs to be reinforced at a granular level.
Consistency is key to API security, and before any end user can access a remote application, they must have satisfied robust authentication and authorisation policies.
To maintain the health of applications across the supply chain, the introduction of rate limits prevents the risk of service unavailability due to oversubscribed applications.
Robust API protections elevate supply chain security by forming an effective barrier that protects data at rest and data in transit.
Implement strict access controls
It’s easy to assume that supply chain security must be airtight with little flexibility to prevent the risk of lateral movement. But security must be balanced with connectivity to ensure seamless data exchanges across physical and virtual environments.
The challenge of intricately weaving robust security processes across the supply chain can be fulfilled by implementing advanced technology frameworks.
Zero-trust architecture (ZTA) is one such framework that can help maintain connectivity and security.
A set of strategies and technologies predicated on the principle of ‘never trust, always verify’, zero trust ensures that no connection, even if it originates inside the network perimeter, can be trusted unless stringent verification measures such as multi factor authentication (MFA) and biometric validation have been satisfied.
Zero trust also streamlines supply chain security by segmenting the network and establishing a user hierarchy through ‘least privilege access’, ensuring that only users with sufficient permissions have necessary access to confidential resources, minimising the risk of systems being compromised.
Visibility and constant monitoring
Network complexity is one of the biggest challenges facing IT professionals, and this problem is exacerbated in supply chain operations. From a cybersecurity perspective, it can be difficult to identify vulnerabilities across expansive supply chains, with cybercriminals able to remain undetected and transition into persistent threats.
Transparency is crucial to maintaining supply chain security, and retailers have no shortage of strategies that can facilitate 24/7 network monitoring.
Secure access service edge (SASE) is an approach that combines networking and security capabilities into a cloud-native service. By converging networking and security functionality, SASE architecture provides a consolidated platform where retailers have full visibility over the network, facilitating holistic supply chain security.
Develop a robust cyber incident response plan
In no way meant to dissuade proactive cybersecurity measures, but such is the rate and sophistication of cyber campaigns that data breaches are inevitable. Whilst this is a foreboding reality, how well you can respond to a cyberattack speaks volumes as to the resiliency of your supply chain security.
Retailers must be prepared for the worst-case scenario and compose a well-defined cyber incident response plan (CIRP) that categorises risks based on severity levels and delineates roles and responsibilities across the entire supply chain.
A well-structured CIRP will guide IT professionals on how to counteract a data breach, limiting any damage caused.
Not only will the procurement of a CIRP ensure the swift neutralisation of identified threats, but the process of root cause analysis and thorough post-mortem investigations will ensure vulnerabilities are patched to prevent any recurrences.
Flexible supply chain security
As recent news headlines have demonstrated, retail operations have never been more exposed to cybercrime. The sophisticated tactics employed by cybercriminals can exploit existing network vulnerabilities with ease. To help fend off such threats, retailers must take a proactive approach to supply chain security that can prevent a breach from occurring in the first place.
Retailers cannot afford to rest on their laurels. Cybercriminals are constantly changing their tactics and exploring innovative ways to breach defences. Flexibility is crucial to maintaining supply chain security, and adopting these strategies can help retailers minimise exposure to cybercrime.
By Mike Beevor
Mike Beevor is chief technology officer at Principle Networks. He leads the development of the company’s technology roadmap, with a clear focus on simplifying cybersecurity and accelerating the firm’s upward trajectory. He has more than 20 years’ experience in technical security and global strategic roles across a wide range of technology organisations including start-ups, critical infrastructure, physical security and smart cities
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
