10th e-Crime & Cybersecurity France
30 March 2021, Online
Securing the supply chain: the world after SolarWinds
After almost a year of on-off COVID-lockdowns, CISOs could be excused for struggling with the challenge of maintaining security in a fluid, hybrid work environment. Simply keeping on top of the basics, like ransomware, is a full-time job. Just ask French IT services giant Sopra Steria. It just announced that a Ryuk ransomware attack has cost it between €40 million and €50 million.
But in addition to that, they are also scrambling to protect the ever-expanding attack surface that is being created by accelerated digitalization. Companies have no choice but to embrace e-channels across their businesses, and their customers and suppliers are doing the same. Securing these websites, apps, payment channels and customer interfaces is non-trivial and may require a rethink of security and development environments.
The IoT is also becoming a significant blip on CISOs radars. More accurately thought of as a vast ecosystem of sensors, the IoT generates huge volumes of sensitive data from devices mostly not built with security in mind. Just tracking which devices are on your network is complicated. And if we return to office working, the smart buildings in which we work are full of potential security flaws.
Data privacy of course, IoT related and not, is critical. While many CISOs still believe privacy beyond their security remit, this distinction will become unsustainable. French firm Predicio recently found itself in the spotlight over its role in the secretive world of the collection and selling of mobile location and other personal data, a market that raises many questions about how companies protect personal data and how they define authorised and unauthorised data usage. Schrems II is just the beginning.
On top of all that, CISOs now have to grapple with the implications of SolarWinds. Third-party security was already one of the most difficult challenges CISOs faced. But Solar Winds shows that your own security vendors can be your weakest link. It shows that state-actors may be your biggest risk. And it shows that third-parties remain the most dangerous vector for committed cybercriminals.
So, what can CISOs do about third-parties when digitalization, the IoT and remote work already stretch teams to the limit? How can security teams scale to the threatscape, without demanding an unsustainable level of resources? And what are today’s security priorities?