The Retailer Winter Edition 2023

THE RE TA I L ER

20

TRUST IS NOT ENOUGH TO SECURE YOUR SUPPLY CHAIN

Keiron Holyome VP UKI and Emerging Markets BlackBerry

K nowing and securing fight against cybercrime

Why supply chain attacks are so fatal Software supply chain attacks are among the most destructive strategies used by cyber criminals today. Six in ten (59%) of companies that have suffered a supply chain attack reported significant oper ational disruption, according to the research by BlackBerry. 58% reported data loss, and 52% reputational impact. Nine out of ten organisa tions (90%) took up to a month to recover. In retail, time is money – so being hit by a software supply chain attack is an expensive experience. These attacks wreak havoc because much of the software created and sold today is based on open source code, which can easily be com promised due to its public availability. Vendors should, of course, check it – and research shows that IT teams believe they do; many are con fident that their supply chain partners have policies in place of at least comparable strength to their own. But amid a chronic cybersecurity skills gap around theworld, can an organisation guarantee this due diligence? Perhaps not. Securing a software supply chain against attacks requires knowingwhat elements in your system have the potential to be attacked. More than three-quarters (77%) of those BlackBerry sur veyed said that, in the last 12 months, they discovered previously unknown participants within their software supply chain — entities they had not been monitoring for adherence to critical security standards. This means that malicious lines of code can sit in blind spots for years, ready to be exploitedwhen the attacker chooses. The National Cyber Security Centre (NCSC) recently encouraged organisations to work with suppliers to “lock shields” and boost resilience to attacks. It’s a great initiative, but even these conversations are merely the preface to an active cybersecurity stance that helps busi nesses protect themselves. No company is an island – but vigilance begins at home in preventing software supply chain attacks.

What can be done to prevent software supply chain attacks? Act now! Businesses need a complete, granular view of all potential network and endpoint vulnerabilities in order to predict, prevent, discover, and respond to attacks - whether direct attacks upon a business, or those coming through the software supply chain. An Extended Detection and Response (XDR) tool is a wise option to enable this. By collecting and ana lysing data from multiple sources, XDR gives the visibility and proactive action to prevent attacks that organisations need - 24/7, 365 days a year. However, newdata shows that more than three-in-four IT and cyber decision-mak ers currently report a lack of holistic visibility into their security posture. Change needs to take place: in the current, heightened threat landscape, a prevention-first approach to all attacks, regardless of their origin, is vital. Across industries, companies are struggling against a cyber skills shortage. But, in the event of a cyberattack, technology like XDR – and particularly when it comes as a managed service - can significantly speed up response and remediation, meaning security teams can focus on critical roles such as activating Critical Event Management systems and engagingwith outsourced Incident Response teams if an attack strikes. Closer, quicker collaboration tends to secure a far better result.

your retail software sup ply chain is critical in the

If you were a hacker, how would you wreak the most havoc possible? Mass phishing? Targeting critical infrastructure? Perhaps. Or maybe you’d choose to attack a software supply chain that provided access to hundreds, maybe thousands, of businesses. An attack on a single vendor that has supplied software to many organisations attacks all its customers simultaneously. This is the story of the SolarWinds hack of 2020. Attackers deployed malicious code into the company’s Orion IT monitoring and man agement software, attacking thousands of its customer enterprises and government agencies worldwide. It made for arguably the biggest cyberattack in history, but certainly not the only successful supply chain hack. If you think it’ll never happen to your organ isation, think again. New BlackBerry research revealed that 4 in 5 IT decision makers have been notified of an attack or vulnerability in their supply chain in the last 12 months. For the retail sector, a functioning supply chain is the beating heart of the business and a focus for software innovation and investment. The issue may be trust; too many businesses trust their vendors have security covered, so don’t implement adequate protection to secure supply chain software connections. Indeed, the UK government’s Cyber SecurityBreaches Survey 2022 found that just one in ten UK businesses review the risks posed by their immediate sup pliers (13%), and the proportion for the wider supply chain is just 7%. It proves we can’t afford to be so relaxed. Security must go far beyond vendor trust.

‘‘

4 in 5 IT decision makers have been notified of an attack or vulnerability in their supply chain in the last 12 months (BlackBerry research).”