1. Forum
  2. FidoNet
  3. POLITICS

  • The critical need for wat

    From Mike Powell@1:2320/105 to All on Fri Jan 24 10:13:00 2025
    The critical need for watertight security across the IT supply chain

    Date:
    Thu, 23 Jan 2025 15:07:54 +0000

    Description:
    As cybercrime continues to evolve in scope, the threat posed by
    vulnerabilities within the IT supply chain cannot be overlooked.

    FULL STORY ======================================================================

    Cybercrime continues to be a major global concern. Cybercriminals are using ever more sophisticated approaches and exploiting every possible means to intercept valuable data or disrupt IT systems. Organizations targeted and impacted by these attacks, including businesses, critical entities,
    governments and entire economies are being left facing serious financial consequences and operational disarray. According to estimates from Statistas Market Insights, the global cost of cybercrime is expected to surge in the
    next four years, rising from $9.22 trillion in 2024 to $13.82 trillion by
    2028.

    One channel used by hackers that is fast becoming a key concern is the IT supply chain. Cybercriminals are exploiting vulnerabilities at third parties
    of an organization's supply chain such as vendors, suppliers and logistics
    and transportation companies in order to infiltrate the organizations IT systems or access physical components destined to be implemented in products. Speculation that the recent device attacks in Lebanon were the result of third-party tampering highlights the crucial need to better secure not only software supply chains but also hardware. But how much of a threat does the
    IT supply chain really pose and what can be done to minimize the risks?

    The weakest link

    The SolarWinds cyberattack in 2020 which compromised the systems, data, and networks of thousands of organizations including the US government is the
    most notorious example of a wide-scale software supply chain attack. But despite the exposure of the case and acknowledgement of the need to address
    the issue of securing the supply chain, there have been numerous others.
    These include attacks on Okta, Norton, 3CX, JetBrains, Airbus and Microsoft, all of which have been equally crippling to the enterprises affected. Since 2021, cyberattacks targeting supply chains have surged 431%, according to a report published last year by insurance provider Cowbell. And industry analysts see little signs of the issue abating; Gartner predicts that the
    costs from these attacks will rise from $46 billion in 2023 to $138 billion
    by 2031.

    For organizations and enterprises, the threat of exposure to attack through
    the supply chain is a major cause for concern. Unlike the full visibility and control they have over their own systems, to date organizations have had
    little reassurance that their suppliers and partners have implemented the
    same high standards of security . Indeed, a recent white paper published by Reuters and Cargowise, highlighted how 94% of supply chain executives were concerned about vulnerabilities in their technology stack, with 24% very or extremely concerned.

    Regulators seek to bring standardized security to the supply chain

    Such is the concern around the threat posed by the IT supply chain that authorities are starting to bring in regulation to curb the number of incidents. In October this year the new EU Network and Information Security version 2 (NIS2) Directive came into force. This new legislation was brought
    in to establish a uniform and improved level of cybersecurity across European Union countries. Critically, along with organizations operating in sectors
    such as public administrations, transport, energy, health and banking, companies supplying goods or part of IT supply chains must also adhere to
    NIS2.

    NIS2 will surely help to raise greater awareness of the need to secure
    network infrastructure and ensure security measures are adhered to throughout the IT supply chain. However, beyond compliance with the new ruling, organizations and technology providers ultimately need to take responsibility for ensuring their prized data - and that of their customers - has the
    highest level of protection against theft or system attack. But how do they
    go about this?

    Mitigating the risk of attack via the supply chain

    Each enterprise or organization has its own unique supply chain composed of relevant third parties required to bring its specific solutions or services
    to market. As such there is no one way of securing the supply chain, however there are measures that all enterprises should undertake to ensure their
    supply chains - both for software and physical components or products - are
    as watertight as possible, these include:

    Screening suppliers: before selecting suppliers, comprehensive vetting should be undertaken to verify security practices and ensure trustworthiness

    Periodic audits: Carrying out regular audits and checks on supply chain partners will ensure they are maintaining the expected security measures

    SLAs: Implementing contractual security requirements with logistics providers to ensure they have appropriate security measures in place such as
    tamper-proof seals on trucks

    Monitoring status of goods in transit:
    Technologies such as RFID and AI can help to track the location and status of goods throughout the logistics flow.

    The use of Gen AI to better monitor location of hardware during transit

    The integration of Gen AI into logistics operations is proving not only to
    make IT hardware supply chains more effective, but also more significantly
    more secure. Thanks to its ability to extract data, process and structure unstructured data, like emails, it provides an unprecedented level of visibility into the flow of goods, tracking both their location and ownership at every stage.

    The integration of Gen AI means that logistics teams are always aware of
    where shipments are, who is responsible for them, and can quickly respond to potential security threats even before an incident occurs. This level of insight and control is invaluable for organizations seeking peace of mind
    that all elements in their supply chain are well protected at every stage of production and transfer and that they do not pose any risk of being
    intercepted or tampered with.

    As cybercrime continues to evolve in sophistication and scope, the threat
    posed by vulnerabilities within the IT supply chain cannot be overlooked. Organizations must confront the reality that their security will only ever be as strong as the weakest link in their supply chain. New regulations such as NIS2 will be critical to ensuring an adequate and standardized approach to security across the supply chain. However, for their own peace of mind and to ensure the integrity of their products and safeguard their valuable data, organizations should look to diligently select supply chain partners, create
    a culture of transparency and use advanced technologies to ensure accurate tracking and monitoring of sourced components and products. In light of the unrelenting levels of cybercrime today, investing in supply chain security
    and resilience in order to protect themselves from attack is a relatively
    small price to pay.

    This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry
    today. The views expressed here are those of the author and are not
    necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

    ======================================================================
    Link to news story: https://www.techradar.com/pro/the-critical-need-for-watertight-security-across -the-it-supply-chain

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)