Globally, organizations across industries leverage technology to collaborate and work together. The ability to scale business, improve customer service, and remain connected at all times all seem like a dream come true. This phenomenal growth of technology allows businesses to connect with suppliers from different parts of the world and enter into agreements as if they were local. However, this increased supplier dependency also comes with its own set of concerns and vulnerabilities. Over the last few years, supply chain cybersecurity has become an important area of focus, as any weak points in the security system could severely affect the functioning and reputation of the business. Notably, supply chain attacks are growing in number. This is because a supplier with a weak cybersecurity system acts as a backdoor that can be easily penetrated. In today’s hyper-connected world, a business is considered only as secure as its most vulnerable supplier.
Understanding supply chain security
When an organization partners with a third-party supplier, it opens the system’s gates to an external entrant. This increases the chances of risk as there is a welcome entry for cybercriminals to enter. Supply chain risk is an increasing threat to organizations with a global network of suppliers. For supply chain leaders, this network creates security risks such as data breaches, malicious use of data, and ransomware attacks. The other types of supply chain risks include financial risk in the form of data leaks, brand reputation risk, business operational risk, and even social risk. Consequently, cybercriminals have been increasing their attacks on supply chains. Suppliers with lax cybersecurity measures have become easy targets as their defenses are weak to mitigate such large-scale attacks.
One of the most recent and notable supply chain attacks is the SolarWinds hack. SolarWinds is a US-based IT company that develops management software for businesses and government agencies. The attack, which took place in December 2020, allowed hackers to gain access to 18,000 Fortune 500 companies, including private companies such as Cisco, Deloitte, Intel, Microsoft, and government entities such as the State Department, Department of Homeland Security, the Department of Energy, the National Nuclear Security Administration, among others.
Impact of the SolarWinds hack
The magnitude of the attack was felt across different industries and vertically. Reportedly, nearly 20% of the affected companies were US government agencies. A single trojan backdoor affected several businesses globally. The hackers added malicious code to Orion, one of SolarWinds’ most used software services. Although the hackers gained access to close to 20,000 of SolarWinds’ clients, only under 100 downloaded the infected update, enough to multiply their attack mode. The attack took time as it was spread as an update, namely Sunburst.
FireEye, a cybersecurity company, first identified and reported it in late 2020. Once the news was out, SolarWinds released quick hotfixes to eliminate the backdoor trojan. Nonetheless, the hack had severe repercussions as the cybercriminals used the code as a backdoor to install more spyware into targeted companies. IronNet’s 2021 Cybersecurity Impact Report concluded that companies witnessed an 11% drop in annual revenue.
Best practices in supply chain security
The SolarWinds cyberattack initiated conversations across industries about the need for better supply chain security. To that end, there are five areas of focus when it comes to supply chain security concern
- Data security, mainly when data exchange happens with third-party vendors.
- Data storage while being compliant with government regulations.
- Data governance should be based on departments, teams, and users without compromising visibility.
- Data protection against fraud and thefts.
- Third-party data exposure risk.
In order to protect the supply chain, industry leaders and experts recommend the following best practices.
- Educate suppliers on the importance of cybersecurity. This includes informing them of the company policy, having an understanding of who has access to data within their team, and their investing in cybersecurity tools.
- Perform supplier audits as part of regular supplier management to ensure all third-party suppliers are up-to-date in their security compliance.
- Implement zero-trust security to streamline data access. This ensures that everyone knows who has access to what and which data is visible outside the system.
- Include cyber threat intelligence tools to monitor suppliers to evaluate and access risk exposure.
- Create a risk-based scoring system to evaluate suppliers and modify terms in case of necessity.
- Mandate penetration testing to identify security concerns. This includes updating password policies, securing networks and endpoints with firewalls, and checking configurations for backdoor access.
- Prepare incident response support to act in case of a security breach. This includes IT team support, automated alerts, and a roadmap to recovering data.
- Take advantage of the modernization of data. Tokenization and encryption of data help with data loss prevention and improve security during file access or sharing.
As the business landscape is constantly changing, there is an increasing risk across all fronts, especially the supply chain. While closing the doors to third parties is nearly impossible, organizations must focus their time and energy on strengthening their supply chain security. In light of recent events, businesses have understood the importance of cybersecurity. Cybersecurity measures can limit the vulnerabilities, thereby reducing the damage any malicious activities can have. By adopting a mindset of continuous assessment and improvement, organizations can mitigate future risks. Updating supply chain security to work cross-functionally throughout the organization will help reap the benefits of hyperconnectivity. While cyber threats cannot be completely removed, adopting supply chain security measures helps create a more secure, efficient flow of data that can recover in case of a breach.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.