Cybersecurity company Venafi, released a new report that found 94% of executives believe there should be clear ramifications (legal and financial) for software vendors who neglect to protect software. The surveyed professionals showed greater concern about their vulnerability to software supply chain attacks. On the contrary, the survey also identified no major developments are made to mitigate future supply chain attacks.Â
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said, “Executives are right to be concerned about the impact of supply chain attacks. These attacks present serious risks to every organization that uses commercial software and are extremely difficult to defend against. To address this systemic problem, the entire technology industry needs to change the way we build and buy software.â€
The pandemic transformed modern business and pushed companies to bolster their digital transformation journey. However, this caused a major impact on the supply chain industry. 2020 was a year where global infrastructure came to a standstill due to cybersecurity gaps in the supply chain. The magnitude of the supply chain attacks has increased rapidly, and it was demonstrated in December 2020, when Russian hackers breached the company SolarWinds and planted malicious code in its IT management tool Orion, which affected 18,000 companies, including Fortune 500 companies.Â
This was marked as one of the biggest supply chain attacks. A supply chain attack is an attack in which hackers infiltrate an organization’s systems through its computer hardware or software vendors. Hackers target the weakest link in a chain of trust, which often happens to be partners and suppliers. After SolarWinds, there was a significant surge in high-profile supply chain attacks, including Kaseya, Codecov, Microsoft and much recently Colonial Pipeline and JBS that had financial implications to businesses. According to a new report by the European Union cybersecurity agency (ENISA), the supply chain attacks are expected to grow by four-fold for the rest of 2021. The takeaway from the report was that threat actors deployed malicious code in over 60% of attacks, while 20% of supply chain attacks targeted data.
How Supply Chain Attacks Happen
Source: CiscoOpens a new window
“Don’t expect an end to cyber-driven supply chain disruptions any time soon. Hackers prey on targets with a large attack surface. The more open ports to exploit, open machines to corrupt, or even open humans willing to open suspicious emails, the larger the attack surface,†saidOpens a new window Jonathan Welburn, operations researcher at RAND Corporation.Â
The severity of supply chain threats has become a growing concern for CISOs and IT professionals, the Venafi report suggested.Â
Also Read: 50% of Organizations Experience Recurrent Cyberattacks From the Same Hacker: Atlas VPN
How To Mitigate Supply Chain Attack
Supply chain attacks have become a lucrative business model. Organizations must create a robust strategy to ensure their suppliers don’t become the weakest link of their cybersecurity plan. According to IBM’s 2020 Cost of a Data Breach report, vulnerabilities in third-party software constitute 16% of all breaches. This indicates that enterprises must focus on vetting third-party vendors to create a trusted security-aware supply chain ecosystem. Organizations must verify vendor certifications and compliance standards such as ISO 27001, PCI DSS, and HIPAA.Â
Additionally, according to Venafi’s report, 69% of executives said their company had not improved third-party risk assessment. An in-depth examination of each vendor will help identify potential security risks associated with the vendors and prevent supply chain attacks. Organizations must conduct an annual third-party audit.
Bocek added, “Executives can’t treat this as just another technical problem, it’s an existential threat. C-level executives and boards need to demand that security and development teams for software vendors provide clear assurance about the security of their software.â€
Strengthening supply chain security is a collaborative effort. Preventing sophisticated attacks can become difficult, but the quicker the response, the easier it will become to mitigate the attack.
Ben Nahorney, threat intelligence analyst at Cisco, saidOpens a new window , “Response becomes a more viable approach to defend against supply chain attacks. One way to do this is with extended detection and response (XDR) solutions. Such solutions give visibility across networks, endpoints, and applications to analyze, hunt, and remediate attacks.â€
Apart from XDR solutions, Jonathan Dambrot, principal at KPMG, explained the importance of data visibility to strengthen supply chain security.
He saidOpens a new window , “It is crucial that organizations have guardrails in place that allow them to decide who to share data with and what each permissioned party can see. Organizations should centralize workflows and data across the entire organization to increase end-to-end performance reporting, thereby increasing data visibility and transparency across the supply chain and ultimately decreasing the amount of risk.â€
Apart from the best practices, the U.S. government has also taken initiatives to cease supply chain attacks. The new cybersecurity executive order issued by U.S. President Joe Biden on May 12, 2021, seeks to modernize cybersecurity defenses while protecting government networks. The executive order might change the dynamics of vendors and organizations’ business.
However, to halt supply chain attacks, there is a need for zero-trust architecture for both public and private sector organizations. Organizations must assess their supply chain policies, review third-party assessments, and embrace agile technologies such as no-code automation to be equipped with inevitable disruptions.
Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!