Value Chain: Key Stages
Sourcing and Planning
Identify raw materials such as yarn spinning, weaving; and components including company location, local inventory, and investing in global suppliers. Digital elements refer to tracking performance overtime and responding to customer trends.Manufacturing and Production
Data centres, physical locations for building, creating, and packaging products. Technology plays an important role at this stage, with machines and devices being connected to software, IT and Operational Technology (OT) environments.Logistics and Distribution
Transport goods to physical stores vs selling items through e-commerce platforms. Retailers are using Artificial Intelligence (AI) to help avoid Inventory losses through managing stock levels.Omnichannel/Virtual Environments
Client, customer, and brand engagement. Storytelling experiences through in-store and online opportunities, with immersion, virtual try-on, augmented reality, concept spaces and pop-ups driving sales. For example, the fashion value chain is heavily digitalised, making up between 30 – 40 percent of total sales. Digitalisation of the supply chain can help with the global apparel market, which is set to grow from USD$1.2 trillion in 2020 (GBP£950B) to USD$2.25 trillion (GBP£1.7B) by 2025, requiring more conscious efforts to reduce consumption through tracking inventory in supply chains helping fashion brands and retailers.Aftercare and Compliance
Once a product reaches the consumer, companies must work to retain customer loyalty through personalised experiences. Compliance with regulations is also critical in reducing overproduction and ensuring sustainability goals are met. Tools like Product Lifecycle Management (PLM) are helping companies track and manage products from creation to disposal.
Vulnerabilities: Cybersecurity Threats in the Value Chain
Cybersecurity threats pose a significant risk to every stage of the value chain. Cybercriminals may target companies for financial gain, using techniques such as ransomware deployment, web skimming, or stealing customer data to fund future attacks. Competitors might also engage in industrial espionage, attempting to access valuable market insights, trends, and proprietary technologies.
Threats to Key Stages in the Value Chain
Cyber criminals may focus their attention on financial gain, motivated by stealing data from brands and customers to fund future campaigns and continue attack chain via ransomware deployment and extortion. This can include web skimming against popular software platforms to steal PII, injecting malicious code into checkout to extract data. Threat actors more focused on gaining competitive advantage within the industry will be motivated by understanding the shifting landscape in terms of technologies being used to automate processes, resulting in an increase of clients, revenue, and unique strategy.
In the IT sector, organised cybercrime groups remain a growing threat, targeting businesses through both digital and physical means. While cyber threats such as data breaches and ransomware attacks dominate, insider threats play a crucial role in facilitating unauthorised access to critical systems. These actors may leak proprietary software, customer databases, or intellectual property, which can be sold on the dark web or to competing firms. Economic pressures and social issues, including financial struggles and illicit activities, contribute to the increasing risk of data theft, fraud, and corporate espionage.
Sourcing and Planning - Information Theft :
Cybercriminals may target businesses to steal information related to trends, materials, and technologies through insider threats or cloud vulnerabilities. This data can be used to replicate designs or undercut the company’s competitive advantage. Threat actors at this stage could also try and access data stored within cloud environments through misconfiguration of tooling, or tamper with AI/ML systems through data poisoning, getting systems to reveal sensitive information to gain understanding of the company.
Manufacturing and Production - Physical Damage:
Manufacturing and production are prone to different types of cyber threats, such as machine software being exploited to takeover systems, access data and possibly deploy ransomware. Insiders can cause physical damage to property or steal valuable data and hand it over to competitors. At this stage, connected devices between IT/OT environments and facilities could be targeted through software vulnerabilities, working on old legacy systems that do not receive updates and patches by trusted security vendors, therefore prone to risks of being intercepted, possibly through ransomware. If we look at motivations, cyber criminals can be motivated by financial gain, and theft of sensitive information, carried out by exploiting vulnerabilities in legacy systems (SCADA, ICS, ERP, CRM) and completely disrupting operations. The machines and devices are all connected which allows employees to track progress, load shipping containers with the products, and then outbound logistics to get them into the next phase which is in the hands of the consumer at a retail commercial level. If this is stopped and manual processes are the only way to fulfil orders, the backlog against the supply chain, for suppliers, clients, and consumers depending on the data you hold at this point, customer purchasing history so their addresses, suppliers which could also be targeted for purchasing scams, through fake supplier invoices and purchasing scams.
Logistics and Distribution - Intercept Transportation:
Rouge employees stealing from the back of shipping lorries is an issue in retail and fashion. RFID tags can be used to monitor clothing and goods but can also be intercepted along the way through software. Suppliers targeted through business email compromise, (impersonation) to redirect inventory to an attacker-controlled environment. RFID tags help combat theft and fraud by encrypting data transmitted and stored. Authenticate processes of verifying the identity and validity of the tags preventing counterfeiting from entering inventory systems, using passwords, challenging response protocols and digital signatures or biometrics. Lock tags to protect, lock serial numbers or manufacturer information to make them read-only. However, threat actors can write information to a black tag or modify data in the tag writable basic tag to gain access and validate product authenticity.
Omnichannel/Virtual Environments - Point-of-Sale targeting:
E-commerce is often targeted by the magecart malware. Ransomware and DDoS can be used to stop websites from functioning through software vulnerabilities in third-party tools. Virtual environments are susceptible to ‘metaverse man-in-the-middle’ attacks by Insiders spying on conversations. Added risks associated with transactions stored on blockchain / NFT security including data privacy.
Virtual reality (VR) and augmented reality (AR) continue to advance and expect more immersive and interactive fashion experiences. This can include digital fitting rooms where you can try-on clothes, or AR filters where you can see how a garment looks on you in real life. Sustainable digital fashion could lead to a more sustainable industry, by creating digital samples instead of physical ones. Designers can reduce waste and lower environmental impacts. Digital clothing does not require physical resources to produce and could lead to reducing the fashion industry’s carbon footprint.
In the metaverse, ‘man-in-the-room’ cyber-attacks put users at risk and involve eavesdropping by insiders, leaking key information to competitors. Other risks include real-time social engineering, with users unknown to each other, acting anonymously when interacting, creating opportunities for manipulation. AI detection systems are being used in the metaverse to spot these signs, however not all occurrences are being captured, requiring further security. Data privacy concerns, with AI systems and the metaverse holding substantial sensitive personal information, also raise concerns.
Virtual policing and regulations are not present. Interpol ‘digital twin’ for law enforcement – The Mayor's office in South Korea, plans to police in Singapore through the largest digital twin company VIZZIO. The platform will also offer immersive training activities for various policing work, including forensic investigations, travel document verification and passenger screening, and will let their trainees try their hand at a virtual border checkpoint.
There are growing concerns with intellectual property (IP), as many brands want to understand who has ownership of data, and how it is being used in virtual environments. Currently, there is no ownership inside web3 and little governance, with future initiatives alluding to blockchain for tracking garment lifecycle, geotagging for identifying IP location, in return for discounts offered by brands through loyalty of customers sharing their data, and tokenisation of assets through multi-brand-user acquisition.
Security researchers are equally concerned about the rise of third-party software providers offering tools such as AI, but lacking policies surrounding who has access to the organisations data /and whether this leaves room for exploitation. The decentralised nature of web3 increases risks of exposing sensitive information. At the same time, this makes navigating the cyber security threat landscape in web3 particularly challenging. Risks involving the metaverse and AI include paying for services such as voice and facial features cloning for identity theft, hijacking of video recordings using avatars, or buying access on dark web forums. Geotagging involves physical locations meeting virtual assets, with it already being used to attach geographic coordinates to NFT’s within the art community – images and websites. Cyber incidents reported already show hackers have been able to get inside NFT accounts and transfer funds to own environments as part of money laundering operations, while geotagging could potentially expose information about a person, making it easier for cyber criminals to gather data and use it in future campaigns.
Aftercare and Compliance - Keeping the Door Open:
Building trust and reputation as a brand is effective but may incur costs for customers and clients if breached. Long standing brands, start-ups and customers need to equally remain cautious of information publicly shared on social media, because you never know who is watching...
Final Thoughts and Recommendations for Consumers and Brands
If you would like to discuss any of these topics in more detail, please feel free to get in touch