It’s old news that the pandemic has accelerated the adoption of digital means, but perhaps not widely recognised or accepted yet is that this will change the security paradigm in the short to medium term. And only a few organisations that expect their operations to be disrupted are looking for proactive ways to manage risk to their increasingly complex operations.
In particular, the adoption of new technologies to help drive efficiencies across the business is leading to more complicated IT ecosystems that are, in some cases, heavily integrated with partners, alliances and suppliers. This grey area of risk falls outside the traditional good practice guidelines we have come to know well. We must now adapt our methods and approaches to identify and manage this new risk vector.
With the traditional corporate boundary now becoming increasingly blurred, expanding deep into your supplier landscape, trying to track “who does what and when” with our data is a growing challenge. We now face an increased “attack surface”, presenting many unknown risks and impacts on our daily operations – and our response needs to reflect that.
This is an industry-agnostic problem. It affects financial services accelerating digital adoption to provide better services to their customers. Equally, the rise of e-commerce and non-store retailing within consumer, manufacturing and distribution is placing huge demands on technology-driven solutions to streamline operations. Real-time stock levels, tracking software allowing for improved accuracy over end-to-end manufacture to delivery to the customer are examples of where your software talks to your supplier’s software, which talks to their supplier’s software. All that requires new approaches to managing risk.
Breaches in security can erode market value and damage brand reputation. The attack on SolarWinds and the ransomware attack on Florida-based IT company Kaseya spread through hundreds of networks. That failure to appreciate risk in the overall end-to-end system had a significant material impact on their operations. The Swedish Coop supermarket chain was forced to close all 800 outlets for five days, resulting in sales loss of about SEK90m (£7.2m) a day, highlighting the need to readdress our approach to risk management and look further afield than our own corporate domain.
The unknown risks from this interconnected world include exposed or abandoned internet-facing servers highlighting asset management issues, and confidential documents leaking due to a lack of consistently applied data classification and handling across multiple organisations. Other dangers come from default, out-of-the-box login credentials, pointing to build standards not being met, and legacy hardware falling off the support radar and identifying failing decommissioning processes.
Further problems can arise from suppliers not doing what they are expected to do and not identifying breaches you were blissfully unaware of. All this is in addition to the need to respond to the growing regulatory focus on supply chain accountability, which is placing further pressure on already pressed resources to address risk.
What do we need to do?
So, how do we broaden risk management processes to incorporate the supplier landscape and streamline efforts? There are five key areas to focus on:
By adapting our traditional approach to managing risk, we can identify the attack surface across the entire IT ecosystem and, by proxy, identify areas of weaknesses we need to fix. This will also enable the more efficient and effective use of scarce resources to target areas of vulnerability underpinning our operations, allowing us to obtain a higher degree of assurance in this connected world.