Protecting the channel supply chain

Daniel Hurel, vice president, cybersecurity and next gen solutions, Westcon, discusses the importance of securing the Channel’s supply chain in an increasingly evolving threat landscape.

Criminals can get inventive when it comes to scams. In 2016 it was reported that bike thieves in London were compromising the metal stands used by cyclists to secure their bikes. It didn’t matter how strong the lock was, the thief could return later and simply take the bike.

This is the nature of security. Make a door impenetrable and a determined criminal will start looking closely at the window instead.

The same is true for businesses and their supply chain. A company with security vulnerabilities puts every organisation in the supply chain they’re connected to at risk.

In an effort to tackle this issue, the UK’s National Cyber Security Centre (NCSC) has published its guidance for medium to large-size organisations to assess the cybersecurity of their supply chain.

The guidance explains the various ways organisations are exposed to vulnerabilities and cyberattacks, expected outcomes and steps to help businesses assess their cybersecurity approach for their entire supply chain.

But the NCSC also makes clear that many businesses have become complacent about their own security. Just 13 per cent of businesses review the risks posed by their immediate suppliers, falling to seven per cent for the wider supply chain.

In the Channel it is critical that we don’t do the same — and if end user businesses are not evaluating the risk of supply chain attacks, it’s the responsibility of channel businesses to ensure they are protected.

A single cyber solution will not keep hackers at bay, so businesses need to keep evaluating risks and exploring solutions to stay one step ahead of the bad guys. Part of this is employing a multi-layered security program within your business but it’s also about identifying where the most common points of intrusion are.

Skilled workforce

In 2022 Dark Reading reported that over half of SMEs did not offer mandatory cybersecurity training, despite the drastic increase in ransomware. Organisations can spend all the money they want on security, but if they avoid training their staff, they will remain open to exploitation.

This is especially true in the Channel where we need to stop thinking about security as a protective wall, but instead a culture that should be embraced in all areas of the business including its people.

Phishing, for example, remains one of the top methods for intrusion, so organisations need to think of its people as a first line of defence. But this is about more than spotting untrustworthy emails.

All employees need to understand the importance of security and the role that they play in protecting the organisation’s assets, that security is about more than just the tools the company uses.

Zero trust

Another way to improve supply chain security is by implementing strict zero trust policies. This involves taking a proactive approach to security, rather than relying on traditional perimeter-based defences.

Although from a corporate perspective any business wants to trust its employees, the zero trust approach, as its name implies, treats the entire network as untrusted and demands that the identity of users, devices, and assets are verified before granting access to sensitive resources. Employees logging in from the office are no longer seen as inherently trustworthy.

This approach is especially important in the Channel; due to working with a huge number of businesses that share data and monitor each other, the overall risk of a supply chain attack is that much larger. A hacker only needs to infect one business and suddenly they have the potential to access a network of organisations.

A zero trust approach can improve an organisation’s security posture by making it more difficult for attackers to gain a foothold within the network. As users are required to authenticate themselves before accessing certain resources, zero trust prevents attackers from moving laterally within the network and accessing sensitive data.

Endpoint protection

Finally, businesses should introduce more endpoint protection. As many companies have adopted a more distributed workforce this means employees can connect their devices through insecure networks, potentially putting the business at risk.

Endpoint solutions, deployed on any device used to connect to an organisation, include a variety of solutions such as firewalls, antivirus, and intrusion prevention systems.

One of the main benefits of this type of protection is that it can prevent the spread of malware and other types of cyberattacks. By protecting individual devices, endpoint protection can help to limit the impact of a potential breach and reduce the risk of data loss.

Securing threats

The Channel is an interconnected supply chain, meaning that a business on its own can only be so secure — it is vital that the partners it works with are also secured. As we’ve seen with several data breaches over the past two years it only takes one vulnerability for the whole house of cards to fall.

Only by working with partners that maintain a high level of security can any channel business set a high standard. After all, the channel is by its nature collaborative. Only through this collaboration can we ensure that we are secure against all threats.

This article appeared in our April 2023 print issue. You can read the magazine in full here.