SECURITY

Following a wave of highprofile cyberattacks on major UK retailers including M & S, Co-op and Harrods, global cybersecurity consultancy S-RM and third-party risk management platform Ethixbase360 are urging companies to tighten supply chain security to avoid becoming the next headline.

1. Identify critical vendors

Begin by understanding the organisation’ s third-party exposure and the impact this can have on the business. It is particularly important to identify and inventory third-party suppliers that have access to sensitive data, have access into your internal environment, provide critical software and could significantly affect business continuity if disrupted.

2. Implement continuous monitoring

Move beyond point-in-time assessments. Use automated tools and threat intelligence to continuously monitor vendor security postures and flag emerging risks.

3. Integrate vendors into continuity plans

Validate business continuity and disaster recovery plans adopted by the suppliers and align your own incident response and business continuity plans with them. Establish redundancies and workarounds to avoid single points of failure. Exercise disruptive scenarios with critical suppliers to improve joint recovery processes, exercise communication plans

Retailers are in the crosshairs, and their suppliers are now a major point of entry. You can’ t outsource risk – if your vendor is vulnerable, so are you. during critical events, and build muscle memory around critical decision-making.

4. Mandate security controls contractually

Include clear security obligations in supplier contracts. These should cover access controls, encryption standards, breach notification protocols and right-to-audit clauses. Include compliance with the contractual security obligations in the security posture assessment of the critical third-parties.

5. Secure your own perimeter

Strengthen your internal defences to mitigate damage if a third-party is compromised. Prioritise measures around:

• Employee training and social engineering awareness, including implementing additional security verification procedures to prevent impersonation of employees and third-parties with access to the environment

• Heightened security protocols for account reset or credential reminder requests

• Enhanced monitoring of third-party user activity

• Continuous identification and monitoring of the external attack surface, including new internet-facing assets and vulnerable remote access methods

Katherine Kearns, Head of Proactive Cyber Services, EMEA, at S-RM, said:“ Retailers are in the crosshairs, and their suppliers are now a major point of entry. You can’ t outsource risk – if your vendor is vulnerable, so are you.

Peter Sweetbaum, CEO of Ethixbase360, added:“ Retailers need a clear view of who they’ re connected to and what risk those connections pose.

WWW. INTELLIGENTCISO. COM 57