Remember December 2020 when the attack on SolarWinds network management system compromised the supply chains of more than 18 thousand organisations? Leaving billions of dollars of damage, it is still considered one of the most significant attacks in recent years, which has made us redefine the security of intertwined information systems. How has supply chain security developed in the last two years?
One thing is definite: we are significantly better aware of cloud solutions and long supply chain risks to our IT systems. Sensitive data that we share in close collaboration with our partners and vendors can be intercepted on every supply chain link. Consequently, a breach of one organisation affects all stakeholders. If you are a big player in your supply chain and invest in cyber protection, you may not be a direct target of a cyber-attack. However, attackers tend to focus on organisations where they detect weaker protection, especially at the user level. Once access to the internal network of one link in the supply chain has been gained, attackers can move on along the chain and reach the target they want. It may take them several months, but eventually, they will succeed.
Although the dispersion of vendors can be beneficial in terms of availability and business continuity, it might also contribute to higher risks. The more tiers in the supply chain, the greater the possibility of a successful attack. There is a tendency – especially in manufacturing – to place more importance on local suppliers and even move manufacturing facilities into the local environment. This makes supply chains shorter and probably also limited in the sense of globalisation.
However, no matter how long your supply chain is, make sure you do everything you can to minimise the risk of becoming the victim of supply chain cyber-attacks.
What are the most frequent issues in supply chain security?
When considering the risks of the supply chain, you should take into account two aspects: how do you protect your IT system, and what attitude do your suppliers have towards cybersecurity? Let us first discuss what you can do to make your supply chain as secure as possible.
Since ransomware and social engineering are still the most efficient traps that users fall for, we strongly recommend investing in security awareness training for all users. Once all your users can identify and report social engineering attempts, the probability of successful social engineering will significantly decrease. And consequently, also the possibility for hackers to move along your supply chain. Furthermore, encourage your partners and suppliers to train their users and contribute to a higher level of supply chain security. Making partnerships with vendors that do not take cybersecurity as seriously as you do poses an additional risk to your IT infrastructure.
Which treats are the users most susceptible to?
There is a great chance that your users will get trapped in very basic topics, such as prizes, lotteries, and sweepstakes. The “being lucky and winning” card is still very profitable to play. Other common traps are business and job opportunities and free internet services. Frauds by impersonating vendor’s “newcomers” and sending emails on their behalf can be very successful too. Remember, HRM-related email content, such as pay raises, new contracts, etc., are efficient phishing means as well.
What are the consequences of a successful attack on a supply chain?
Some of the most common consequences of a security breach in a supply chain are intellectual property theft, personal data disclosure, and process disruption. All these can cause significant business loss, financial damages, and non-compliance with standards and regulations. Not to mention the loss of reputation when news about the attack is disclosed. This brings us to one additional aspect of supply chain attacks: in the case of an attack on one specific company, this event usually remains more or less hidden from the public eye. Whereas in the case of supply chains, the more stakeholders involved, the greater the possibility that the news will go public. This is another reason why providing a high supply chain security level is extremely reasonable.
Top 5 best practices for supply chain security
1. Advanced security awareness program for all users
As already mentioned, employee security awareness training can significantly lower the probability of a successful social engineering attack. When planning such an awareness program, keep in mind to choose a solution that offers diverse simulated attack content, educational materials, and powerful reporting. Equipped with measurable data from completed campaigns, you will be able to monitor the progress made with regular campaigns. We are often asked what the best frequency for simulated attacks is, and there is no one clear answer to this question. Some companies run campaigns once a month, others once weekly, some more often and some less. The main point is that you figure out the frequency which best suits your users and stick to your plan.
2. Data encryption throughout the entire supply chain
If you want to stay cyber-secure, unencrypted data should not be allowed to travel along your supply chain. End-to-end encryption means that data sent from one client to another has no meaning when intercepted unless the attacker knows the encryption key. It is highly recommended to use AES – Advanced Encryption Standard – which is also used by governments and the military and provides better protection against decryption.
3. Attack surface monitoring
At this point, we discuss the entire attack surface of the supply chain, not only your company but all stakeholders. Regular monitoring has been made possible with solutions for risk assessment and scoring, with automated tools regularly testing and monitoring changes and deviations in the supply chain. Such solutions comply with all regulations and can help you monitor the supply chain and your security. However, this service only scans the surface (what can be seen and reached from the outside) and does not dig into your internal network or the networks of your suppliers.
4. Regular security testing and risk assessment
Regular cybersecurity testing or third-party risk assessments are the best way to check the cybersecurity posture of your system in real-time. The first step towards harder cybersecurity is the implementation of solutions and good practices, and the second is testing how they work in real life. Imagine you need a suit and new shoes to meet the dress code of your job position. You order some online and put them in the wardrobe without trying them on. How do you know they fit you once you need to use them? Having solutions implemented without testing them is a problem only halfway solved. How often should you test and review the risks? It depends on the frequency of changes made in your IT system. The once established common practice of performing security tests once per year does not do the trick anymore. Every new zero-day vulnerability and security update introduces new security risks to your system, as do changes in system architecture, location changes, etc. The most efficient answers to these issues are automated security validation solutions that regularly check your system against all known vulnerabilities and validate your cybersecurity posture accordingly.
5. Strategic incident response planning
The question we ask ourselves in the context of cybersecurity is not whether we will get hacked but when. Therefore, you should be prepared and plan the response strategically. A spontaneous response can mitigate the most apparent risks; however, more profound tactics and procedures are required to diminish the possibility of breaches in the long run. Make sure your backup policy adequately covers a possible ransomware attack. Define which roles within your organisation are in charge of incident response and include forensic analysis in the plan. Forensics can help you identify weak points in your IT system and eliminate these weaknesses in the future.
These were some insights into the issues of supply chain cybersecurity and tips for their successful management. As a rule of thumb, follow the zero-trust principle: monitor, scan, test and limit the access rights to the least privileges. Take advantage of state-of-the-art tools that can help you combat cyber-attackers and secure your assets.
SecurityScorecard Risk Rating and Supply Chain Security
SecurityScorecard is an automated solution that helps you rate and manage cybersecurity risks by continuously monitoring the attack surface.
Penetration test
A penetration test helps identify vulnerabilities and offers the foundation for ranking vulnerabilities and giving recommendations.
Pentera Automated Penetration Testing Solution
Automated penetration testing with Pentera assures daily security validation of exposed networks, users, devices and applications.