WEF
- | September 4, 2024
Georges de Moura , Head of Industry Solutions, Platform for Shaping the Future of Cybersecurity and Digital Trust, World Economic Forum
Christophe Blassiau, Senior Vice-President, Cybersecurity and Global CISO, Schneider-Electric
The ongoing digital transformation has opened up a whole new way of living and working. As deeper performance insights and new levels of connectivity allow businesses to reap the benefits of breakthrough technologies, the world is becoming faster, more flexible and more efficient. This shift is creating a global ecosystem where physical and digital things are increasingly connected, from critical infrastructure assets to people and data.
A study by Gartner finds that in 2019, 60% of organizations worked with more than 1,000 third parties, and those networks are only expected to grow. Other research by Deloitte shows that 40% of manufacturers had their operations affected by a cyber-incident during 2019. And in 2018, the average financial impact of a data breach in the manufacturing industry was $7.5 million.
Moreover, global technology supply chains are increasingly diverse and complex, resulting in changes in the overall risk for critical systems that support national defence, vital emergency services and critical infrastructure.
In December 2020, a global cyber-intrusion campaign was uncovered by a leading cybersecurity firm that compromised first the source code and then subsequently updates to SolarWinds’ Orion Platform, a widely deployed IT management software product. The corrupted update was downloaded by thousands of SolarWinds customers and spanned US government agencies, critical infrastructure entities and private-sector organizations. Though this cyberattack may be unprecedented in scale and sophistication, it is consistent with a number of persistent trends in using supply chain vectors.
This incident further reinforced the threat to global digital supply chains and the strategic imperative for public and private sector stakeholders to ensure trust in the digital ecosystem. It is critical that the software that drives the digital ecosystem is both trusted and secured. By reducing the risks and protecting the digital economy, our society will be able to realize the digital dividends of the Fourth Industrial Revolution.
Image: Schneider Electric
Having a mature third-party risk-management policy and practice will ensure cybersecurity and privacy are constantly considered and addressed with mature, consistent, repeatable and effective measures. These three precepts will embed them in every phase of the life cycle:
A risk-based approach will help guide the third-party acceptance/rejection decision-making process, and helps efficiently and accurately mitigate cybersecurity threats third parties pose to the broader ecosystem.
Such a policy aims to reduce the risks around the development, management and distribution of software and software source code, which must go beyond defending intellectual property and address customer impact. It will help protect and strengthen trust in the digital ecosystem so businesses, governments and individuals can all have trust in, contribute to and benefit from the digital economy.
1. Ensure that the organization’s people, processes and technology are prepared to perform secure software development at the organization level and, in some cases, for each individual project.
2. Protect all components of the product from tampering and unauthorized access
3. Produce well-secured products that have minimal security vulnerabilities in its releases.
4. Identify vulnerabilities in product releases and respond appropriately to address them and prevent similar vulnerabilities from occurring in the future.
By regularly assessing the security posture of third parties, from early sourcing stages, to security due diligence and periodically throughout the duration of a collaborative relationship, an organization will be able to maintain trust with its customers and business partners across the supply and value chains.
A common understanding and approach to existing and emerging threats will enable industry and government actors to implement appropriate countermeasures to mitigate supply chain security risks. In the fallout of the SolarWinds incident, it is crucial all stakeholders in the supply and value chains embrace a risk-informed cybersecurity approach to ensure a secure and resilient ecosystem.
RELATED NEWS