Applying a zero-trust approach to supply chain cybersecurity – World Economic Forum
- In an increasingly digital world, supply chain cyberattacks are growing in number and severity due to their scalability.
- A zero-trust approach could help increase supply chain resilience in the face of such attacks.
- By boosting the cybersecurity of each individual company in a supply chain, this method could help to secure these growing global trading networks.
Supply chain cyberattacks are expected to quadruple in 2021 versus last year, according to the European Union Agency for Cybersecurity (ENISA).
These attacks are becoming particularly attractive to cybercriminals because of their scalability. An attack on US software firm Kaseya in July 2021 affected up to 1,500 businesses across the globe. In Sweden alone, almost 500 supermarkets were forced to close when their checkouts stopped working as a result of the attack.
This kind of “one-target, multiple-victims” scenario has turned supply-chain attacks into a lucrative business model for hackers, particularly when coupled with ransomware. The hackers who claimed responsibility for the Kaseya breach demanded $70 million to restore all of the affected businesses’ data.
Given the general increase in digital interconnectedness, this trend is rather dangerous. A company’s security no longer depends solely on its own resilience. A vulnerability in a third party’s products or systems may create an entry point into the entire supply chain for cybercriminals. This means you can no longer simply trust that your vendor is cybersecure — you need to verify it. But how?
The zero-trust approach
Rather than assuming that a company or product you are dealing with is secure, a zero-trust approach requires verification for all assets, user accounts or applications — the authentication for their access to your systems must be approved. Even users within your own technology infrastructure must confirm their data every time they request access to any resource inside or outside the network.
Rather than assuming that a company or product you are dealing with is secure, a zero-trust approach requires verification for all assets, user accounts or applications
—Dmitry Samartsev, BI.ZONE
Experts at Cyber Polygon 2021, an international online conference and cybersecurity training event held last July, discussed how to increase supply chain resilience using this kind of zero-trust approach. The training was also devoted to repelling a simulated supply-chain attack. These expert discussions and exercises led to three key conclusions about why using zero trust to protect supply networks makes sense: