Why we need a mindset shift to combat the new wave of supply-chain cyberattacks

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Dani Michaux, EMA Cyber Leader and Head of Cyber Security, KPMG Ireland


• The digital ecosystem has expanded in response to changing needs during the pandemic.

• There is a current rise in cyberattacks, often on vulnerable digital supply chains.

• Organizations must overhaul their risk-assessment procedures and widen the scope of their cybersecurity strategy.

Over the past year, we have seen major geopolitical changes driven by the impact of COVID-19, forcing organizations to strengthen their resilience approaches. The realization has also dawned that the world, as we once knew it, has changed.

A new operating model is emerging based on various restructuring activities, accelerating digitalization initiatives, alternative partnership models, and a sharper focus on core activities. As organizations pivot, it is important to reflect and consider the risks that may emerge as part of these major changes.

Prominent among these challenges is the need to safeguard the new digital ecosystem, which underpins this transformation, from cyberattack and the breakdown of our information infrastructure.

The digital world kept turning in 2020

Cybersecurity is key to achieving the Fourth Industrial Revolution. COVID-19 has accelerated that revolution and the use of digital and cloud technologies in both the public and private sectors. Those technologies are now fundamental to our society.

Sadly, the pandemic has also shown that organized crime is opportunistic and ruthless in its exploitation of events to gain financial advantage. Thus, we have witnessed a steady stream of high-profile cyberattacks on private enterprise, government and social media platforms during the year.

Nevertheless, it’s encouraging to observe the pace at which organizations rolled out robust digital infrastructure during difficult times, and the collaboration that we saw amongst business, technology and security teams to safeguard these rapidly deployed services. It shows us how these often-siloed parties can work together effectively to introduce secure innovation at market speed.

COVID-19 has given the remit of Chief Information Security Officers (CISO) a new dimension. Suddenly, they must concern themselves with effectively managing thousands of home-working sites, personal devices and a rapid shift to the cloud. The CISO has moved from securing corporate IT boundaries to a broader view of enterprise security.

The timescale for many cloud-migration projects has collapsed from years to months in the race to meet fast-changing business needs. Hyperscale cloud providers are increasingly dominant and intently focused on security.

Digital supply chains are becoming increasingly complex.
Digital supply chains are becoming increasingly complex. Image: University of Cambridge

The rise of supply chain attacks

Political and business leaders have become alert to the global interdependence of many critical functions and the nature of risk that cross-border supply chains have. The pandemic made these murky operational and systemic risks real and has given people pause for thought.

Supply-chain attacks are not new. However, in the new highly digitalized and interconnected world, they are becoming more prominent. Frequent attacks raise concerns around the ability of business organizations to remain resilient.

A common theme of all of these attacks is the presence of third-party providers of hardware, services or software. In complex infrastructure, set-ups that include rapid pivoting to new environments and dependencies on third-party suppliers are common.

Third-party providers are targeted with the ultimate aim of reaching a bigger mark. The methods and duration of the compromise vary, but there are some common patterns. These include exploiting rapid deployment challenges, looking for exposures in security controls as firms shift rapidly to new technology.

Lessons can be learned from sectors like oil and gas, where human safety is on top of executive agendas and assumptions are constantly challenged. It starts from the proposition that you can’t assume that anything will work in the event of a major incident. That’s the culture of resilience that should be in place in all organizations. It is a question of broad operational resilience, not just of IT systems and security.

A different risk-assessment mindset

As we look into the future of highly digitalized and scalable environments, resilience will likely be paramount and non-negotiable and may rely on the stability of the end-to-end supply-chain. However, it will also require a mindset shift in the approach to data security.

The hunt will be on for cybersecurity orchestration opportunities, for robotic process automation around manual security processes, for more integration with IT key workflows, and for new managed service and delivery models. Third-party security may also need new models for more dynamic risk management and scoring, including better tracking of supply-chain stresses.

Of course, the commonplace SOC 2 and ISAE 3402 assessments may play a role as firms seek to provide evidence once to satisfy a myriad of client questions over their cybersecurity. However, we can also expect to see the rise of “utility models” where intermediary organizations aggregate together client assurance requirements to undertake a one-size-almost-fits-all assessment of suppliers’ cybersecurity.

Over the last few years, firms have also sprung up offering risk-scoring services based on scanning of a firm’s internet-facing services, monitoring for data disclosures in the shady corners of the internet, and alerting customers that a supplier may have a potential problem, which they may not be aware of or the supplier has yet to disclose.

As outsourcing of non-core business services accelerates, it is worth asking: Do you really pay sufficient attention to your dependency on third parties who are now integral to your security and resilience as a business?

As we look to the future, organizations should move from just thinking about enterprise firewalls, antivirus software, and patching policies to considering approaches to security, which starts from the premise that a company’s success is based upon its reputation – ultimately a manifestation of the trust others have in its offerings.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

This mindset leads to embedding security into products and services but, more than that, it focuses attention on protecting customers, clients and those increasingly important supply-chain partners. It emphasizes stewardship of the trust they place in you when they share their most sensitive data or show their willingness to become dependent on you.

No organization is an island, and all of us are part of an increasingly hyperconnected world. In that world, trust in supply chains and ecosystem relationships matters more than ever.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Italy’s dilemma after Merkel-Hollande agreed loose banking union

Nokia wins Commission’s approval for Alcatel-Lucent acquisition: a new way for antitrust cases?

9 steps to bridging the net-zero funding gap

Innovating together: connectivity that matters

Quality coffee can boost local economies and benefit farmers – here’s how

What has changed in the French politico-economic horizon

Ambitions are affordable for Asia and the Pacific

Here’s how drone delivery will change the face of global logistics

European Youth Forum welcomes strong stance on human rights in State of the Union

UN food agency appeals for access to key storage facility amid fight for Hudaydah

Millions of young people need better job skills. Here’s how businesses can help

‘Leaders who sanction hate speech’ encourage citizens to do likewise, UN communications chief tells Holocaust remembrance event

4 ways to deliver social justice during the COVID-19 recovery

‘Global trust’ declining, ‘our world needs stepped-up global leadership’

Occupational safety and health in a changing world of work

Do not take the EP’s consent on MFF for granted, says Budget Committee Chair

Global spotlight on world drug problem ‘is personal’ for many families, says UN chief

Parliament gives green light to EU-Singapore trade and investment protection deals

UN global education envoy urges new funding for ‘lost generation’ of children forced out of classrooms by conflict

Our Amazon is disappearing in ashes

FROM THE FIELD: ‘Miraculous’ music made by hearing-impaired children

Bias in AI is a real problem. Here’s what we should do about it

Three ways China can make the New Silk Road sustainable

Why skills are keeping CEOs awake at night

EU mobilises emergency assistance following floods in Ukraine

How quantum computing could beat climate change

4 ways to build a net-zero economy by 2050

Coronavirus: EU makes available additional humanitarian funding of €41 million to fight the pandemic

Technology companies have power. They must assume responsibility

EU Copyright Directive: Will US tech giants comply or ditch the EU market?

To Fight the Pandemic, Put Trust and Cooperation Before Politics

The EU slowly exits from “Excessive Deficit Procedure” and hopefully from ‘Excessive Austerity Procedure’ too

Things are bad and getting worse for South Africa. Or are they?

200 women call on tech giants to prioritize online safety. Here’s how

Aid teams respond to escalating southwest Syria conflict: 750,000 civilians are at risk

Libya: Attack on foreign ministry, an attack on all Libyans, stresses UN envoy

Mobility package: Parliament adopts position on overhaul of road transport rules

2020 EU Budget: Performance report highlights swift and global EU response to the coronavirus crisis while supporting key EU priorities

European Youth Forum welcomes establishment of new Youth Intergroup in the European Parliament

Take-home pay growing at lowest level since 2008, as gender-gap persists: UN labour agency

FROM THE FIELD: A UN peacekeepers-eye view of DR Congo

EU-Ukraine Summit: Moving Forward Together

MEPs oppose EU Commission plans to authorise three herbicide-resistant GMOs

Afghanistan: lead MEPs demand safe departure of EU nationals and Afghan partners and urgent tackling of humanitarian crisis

Here’s how sustainable aviation fuel can take off in Europe

A Sting Exclusive: “EU’s Sustainable Finance Action Plan – Laying down the foundations for a Greener Financial System”, by European Commission’s Vice-President Dombrovskis

4 myths about corruption

Climate change and health: public health awareness in an international framework

Wednesday’s Daily Brief: Diplomacy for Peace Day, #VaccinesWork, the cost of war on Afghans, tech and well-being

VAT: New e-commerce rules in the EU will simplify life for traders and introduce more transparency for consumers

Impressions of China

Five things everybody needs to know about the future of Journalism

OECD Secretary-General Gurría welcomes announcement of new trade agreement between the US, Mexico and Canada

A year on from Yemen talks breakthrough, top UN Envoy hails ‘shift’ towards peace, despite setbacks

LGBTQI+ and medicine, in the Land of the Pure

Protecting the ocean is key to fighting climate change

Asian and Pacific economies: decreases in tax revenue highlight need to broaden tax bases

New UN Global Climate report ‘another strong wake-up call’ over global warming: Guterres

This is how to make driving an EV more accessible and affordable

Banking on sunshine: world added far more solar than fossil fuel power generating capacity in 2017

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: