Supply chains present a weak link for cybersecurity because organisations can’t always control the security measures taken by supply chain partners, warns global cybersecurity specialist Palo Alto Networks.
This can create opportunities for cybercriminals to attack an organisation by first infiltrating a supply chain partner, it says.
Therefore, organisations and their partners need to be aware of this risk and act to protect each other.
"Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level,” said Sean Duca, vice president and chief security officer, Asia Pacific, Palo Alto Networks.
“Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak."
Software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer, says Duca.
Commercial sabotage
Hackers are dodging traditional cyber defences to compromise software and delivery processes. This lets them disrupt large numbers of systems through a single attack. Companies that use the corrupted software could fall victim to ransomware attacks, lose valuable proprietary information, and be subject to commercial sabotage.
"Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks,” said Duca. “Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected.”
Duca says vulnerabilities to cyber damage are increasing due to Internet of Things (IoT), digital buyer-seller relationships and robotic process automation.
“Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection."
Palo Alto Networks recommends three key ways to secure the supply chain:
1. Review internal and external security procedures
Organisations should not only review their own internal infrastructures, but also vendors’ and partners’. While internal systems might have strong security practices for thwarting a wide range of direct attacks, third-party collaborators might not adhere to the same practices. Consequently, businesses need to thoroughly vet vendors before fully integrating them into internal infrastructures.
2. Establish written security guidelines and controls
Cybercriminals may use a supplier’s website to host malware. Where possible, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of such attacks. A written agreement should require vendors to provide timely notification of any internal security incidents as well as periodic security reports to regularly ascertain their security status.
3. Training/sharing security best practices with staff and vendors
While technology is essential, human error is still the primary source of data breaches. The recent Cyber Security Intelligence Index report by IBM revealed that 95 per cent of all security incidents involve human error, from following links to phishing scams to visiting bad websites, enabling viruses and falling victim to other advanced persistent threats.
Organisations must train all staff in security best practices. Training helps people to identify potential attacks and should be constantly refreshed so people can act as the first line of defence.
"Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information,” said Duca. “Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain."