The supply chain is an appealing target for cybercriminals. That’s because carrying out an attack on a vendor that serves dozens to thousands of companies is a highly effective way to ensure malware or another type of attack spreads as far — and as fast — as possible.
Supply chain security isn’t top of mind for every company today, yet businesses are taking steps towards interoperability and improving visibility to strengthen their supply chain strategies and improve resilience. These activities, such as implementing fully integrated ERP systems or customer relationship management (CRM) systems, aggregate valuable data in a central location, which has significant benefits for productivity, profitability, and more. However, without adequate security measures, they also can increase supply chain risk.
If you visit leading supply chain blogs, you’re certain to encounter articles warning of the risk of supply chain attacks. While awareness is growing of the need to adequately protect the supply chain, most organizations focus on what they can control: their own networks, applications, and endpoints.
As companies realize the potential threats in the supply chain and take steps to prevent attacks, there are many elements that are often overlooked, such as using supply chain analytics to identify risks, performing due diligence when contracting with vendors, the threat to software developers (particularly those that rely on open-source software or libraries), a lack of visibility into the full network of software components the company has in use, and more.
To help you develop a robust security posture that protects your company’s sensitive data not only in your own network but across the supply chain, we reached out to a panel of supply chain, IT, and cybersecurity professionals and asked them to answer this question:
“What’s the most overlooked element of preventing a supply chain attack?”
Meet our panel of Supply Chain, IT, and Cybersecurity Professionals:
Read on to learn what our panel had to say about the crucial elements of preventing supply chain attacks that you might be overlooking.
Ryan R. Johnson, Esq.
Ryan Johnson, Esq. CIPP, CIPM is a data privacy and cybersecurity attorney.
“One of the most overlooked elements of supply chain risk is simply performing adequate due diligence when selecting, onboarding, and assessing supply chain vendors. Ideally, vendors should be tiered based on the level of access, the threat posed, and the severity of the compromise.
Vendors should be assessed on an annual basis and removed if they fail to meet minimum basic information security requirements. Unfortunately, the loss of business is the number one driver or motivator of beefed-up security efforts.”
Pete Morgan is the CSO of Phylum.
“The most overlooked element of a software supply chain attack is that these incidents are highly targeted at software developers.
In fact, developers are the new high-value targets of cybersecurity attacks. The bad actors who
orchestrate software supply chain attacks know how developers work and focus on weak links where they can gain access to a developer’s credentials.
For example, they know that developers rely on open-source software to help them speed up the development of new software products. They know that by focusing their attacks on developers, they can get their hands on high-value assets such as cloud access keys, SSH keys, signing keys, and other secrets. These keys often live for long periods of time, meaning an undetected compromise allows attackers plenty of access and time to plan out the next stages carefully.
There are a number of blind spots to exploit because the software supply chain is a constantly changing concept. Open-source packages are used in 85 percent to 95 percent of applications and are created and maintained by strangers on the internet. Developers use these packages without oversight or control by the security team. It’s a perfect storm, and it’s growing by the day.”
Nathaniel Cole is a Chief Information Security Officer with 15 years of experience building and running modern security programs. He writes a cybersecurity advice column for business leaders at NetworkAssured.com.
“The most overlooked element of supply chain security is related to software dependencies. Many companies are focused on the business’s security controls, certifications, and processes, which all help to secure the company. But how many companies actually understand all of the software components that they have in use? In my experience, the answer is: not very many.
This is becoming a common attack vector as we move into 2023, as evidenced by the multiple recent attacks where data-stealing malware has been embedded into PyPi.”
Miclain is an IT Cybersecurity leader who went on to co-found his own company, West Tennessee Consulting, with his father and CEO Charlie Keffeler.
“Supply chain attacks are complex to pull off, but simple to prevent SCA or Software Composition Analysis is a simple process used to detect publicly disclosed vulnerabilities contained within a project’s dependencies and the dependencies’ dependencies. This is the most overlooked element of preventing supply chain attacks.
Often referred to as sub-dependencies, these are situations such as when a library that you are using relies on other libraries to do its job. Especially in the open source world, this is where the rubber meets the road.
Oftentimes attackers will introduce a new dependency in these commonly used libraries and then infect that dependency, either because they own it or it’s also open source and they can contribute code to it themselves. Not all projects implement the same security standards, so they could easily not realize what happened or why.
This also plays out with vendors. For example, if you didn’t know any better, you would think West Tennessee Consulting could be vulnerable to this. We help clients with software projects,
both on-premise and in the cloud. Clients could hire us, and we could develop code to solve their problems and unwittingly introduce a backdoor or a vulnerable dependency into our client’s environment.
How would you know this happened? Likely not until it was too late. This is why it’s so important to follow common security practices like SCA and more. When WTC does a project, SCA is actually only one small part of all the security standards that must be met before code is delivered to one of our clients. But this isn’t standard, which is part of the reason supply chain attacks are common, and it can cause real harm as you read on the news all too often.”
Braden Perry, a former federal enforcement attorney and CCO of a financial firm, is a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC.
“I work with a number of vendors on data breaches. When it comes to breaches in vendor-heavy industries, there are threats not only from insiders but significantly from outsiders as well. Generally, there’s more of a threat by rouge insiders.
There’s not much, besides compartmentalization and monitoring, you can do if an insider wants to reach data. For outsiders, including vendors, most attacks compromise legitimate websites to deliver malicious payloads which can then reach data. This can usually be prevented.
While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized hosts and networks, and including enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.
Specifically for supply chains, it is critical to monitor and review your vendors and to mitigate any excess entry points into the system. Target and Home Depot are high-profile examples of supply chain monitoring gone wrong.
Following critical data and the data stream can identify areas where more monitoring is required and can also minimize undetected intrusions. While it is impossible to prevent all intrusions, having a cyber policy that identifies weaknesses within the supply chain and enhancing security/monitoring will lessen the risk of landing on the ever-increasing list of companies breached.
Also, I’m seeing increased understanding and engagement at the top management and board levels. Traditionally, IT was not understood, and management would not understand the role and responsibility of IT departments. Now, you must have board and/or top management engagement. The main pain point from IT is the need for the latest resources to keep a company safe. Many companies don’t upgrade their information security systems enough, and the technology to breach critical systems is advancing much faster than companies’ security.
The Board must understand the issues and the potential harm to a company if a breach occurs (see Walmart, Home Depot, Yahoo, etc.). Having a sophisticated Board, not only for business but in today’s cyber and IT security is a must to understand the issues and protect the company from these types of harm.
Translating an understanding of the importance of a proactive IT security policy, and feeling like the company is on board with IT security efforts are also crucial. Many companies have very robust policies and procedures for their business processes, which sophisticated Board members can understand. IT is different. It’s a different language for a business person, and unfortunately, most Board members will ignore or defer on issues they don’t understand. So when an IT department presents a robust plan for proactive IT security, it may go ignored or disregarded. This can lead to a reactive plan only that focuses on the when as opposed to prevention.
As mentioned above, IT is a different language. It’s becoming more important, and almost imperative, that a Board has an experienced IT/cybersecurity liaison to be the go-between and translate the IT language into business language and vice versa. More often the Board simply doesn’t understand an issue.
When I am engaged to investigate and report, it ordinarily is an issue that could have been resolved without outside counsel, but a lack of clear communication between IT and the Board stymied that understanding. It’s imperative in most companies to have a Board member knowledgeable in the area that can understand and communicate issues related to IT security and have a voice in an area that most board members don’t understand.”
Kimberly DeCarrera is a seasoned attorney, serving as Outside General Counsel to a variety of companies, including those in the supply chain, from manufacturers to distributors to logistics to retailers.
“The most overlooked element in preventing a cyber attack on the supply chain is the human element. Most attacks are going to involve some sort of human intervention — from clicking on a phishing email all the way to intentional acts.
Most plans target the technology because that’s what we automatically think: upgrades, patches, firewalls, etc. But we cannot ignore the risk from the people that use the systems. They must be trained in identifying the threats to the system. And systems must be put in place to identify and prevent intentional bad acts — from termination procedures to auditing access logs.”
Harmandeep Singh is the Director at Cyphere, a cybersecurity services company helping customers protect their most prized assets across the UK and the US.
“The most overlooked element of preventing a supply chain attack is the implementation of secure protocols and procedures to ensure that all data is properly protected.
This includes the use of encryption, access control, secure authentication, and secure server configurations. Additionally, organizations should regularly monitor their supply chain partners for any suspicious activity and ensure that their networks and systems are regularly updated with the latest security patches.”
Isla is an entrepreneur and a Cybersecurity Specialist with a background in ethical hacking at PrivacyAustralia.net.
“The most overlooked element of preventing a supply chain attack is the failure to manage access.
Most businesses tend to neglect the importance of having secure privileged access management in place. Once a defense has been breached, cyber attackers will move laterally throughout the ecosystem. They will do so in search of privileged accounts.
These accounts, in particular, are targeted as they are the sole accounts that can access sensitive data. This is a predictable course of action cyber attackers are expected to take and is known as the Privileged Pathway. This is why secure privileged access management is critical to a supply chain’s safety.”
Simonas Steponaitis is a Marketing Manager at DoFasting, a personalized intermittent fasting app.
“The most overlooked element of preventing a supply chain attack is third-party vendor risk management. Third-party vendors are a critical component of many organizations’ supply chains, and they can introduce significant security risks if not properly managed.
Organizations should conduct regular risk assessments of their third-party vendors and establish security controls to mitigate the risk of a supply chain attack. This may include background checks, security certifications, and regular security audits.
Organizations should also establish clear communication channels with their vendors to quickly identify and respond to potential security incidents.”
Joanne King is the Company Director at ICMP.
“The most overlooked element of preventing a supply chain attack is end-of-life management, which refers to the process of securely disposing of products and services that are no longer needed. This includes products and services that are no longer in use, as well as those that have reached the end of their useful life.
Organizations should establish clear processes for decommissioning and disposing of these products and services, including wiping data from storage devices, securely destroying physical components, and disposing of electronic waste in an environmentally responsible manner.”
Kyle MacDonald is the Director of Operations at Force by Mojio.
“One of the hardest parts of preventing supply chain attacks is detecting them before they rise to the level of a crisis. This is where honeytokens come in. These are essentially fake points of access or pieces of data that are designed to be found by hackers — who will reveal their presence by going after them. This can alert you to potential vulnerabilities right away and allow you to take effective countermeasures.”
Mr. Dumi has been with eMazzanti for 14 years, previously serving as Senior Network Architect and Team Lead. He holds numerous certifications including ITIL IT Service Management, PCI-QIR, WatchGuard Certified System Professional, Lean Six Sigma, and several Microsoft Professional certifications.
“The most overlooked element of preventing a supply chain attack is verifying supply chain email security training. Email remains the primary attack method for cybercriminals. Business leaders must build essential cybersecurity awareness with regular security training for employees and ensure that it’s also done for supply chain employees.
In the supply chain, everyone plays a significant role in cybersecurity. Make sure that your vendors’ employees receive the necessary email security training and tools to take responsibility for securing their systems. If hackers gain access to your vendors’ systems through email or another form of social engineering, they can use that as a bridge into your network.
Continuous training over time is the best way to get people to understand the concepts of email security while also reminding them of older, more common risks, and newly emerging risks. Leaders who combine that with top-notch email security technology have an effective email security program.”
Brenton is the Founder of Twibi.
“The most overlooked element of preventing a supply chain attack is often the human factor.
Many organizations focus on securing their technology systems and fail to address the risks posed by their vendors or contractors who have access to their systems. Supply chain attacks often occur due to a lack of proper security protocols and awareness within a vendor’s organization.
For example, a vendor’s employee could inadvertently introduce malware into an organization’s systems by clicking on a malicious link or downloading a file.
To prevent supply chain attacks, it’s essential to have a comprehensive security strategy that includes training and awareness programs for both employees and vendors, as well as implementing strict access controls and monitoring mechanisms.”
Omer Usanmaz is the CEO and Co-Founder of Qooper. They enable companies to run mentorship, coaching, and training programs with best practices, software solutions, and analytics.
“The most overlooked element of preventing a supply chain attack is the deficiency of a cybersecurity culture in businesses. Organizations need strong cybersecurity cultures because of the prevalence of cloud computing, remote work opportunities, and digital transformation projects.
Employees should be encouraged to regularly contribute to its improvement in order to create a strong line of defense against hacker attacks or data breaches. Every organization should provide security awareness training to teach staff cybersecurity fundamentals including identifying dangers and avoiding them as well as the importance of destroying passwords. Employees may use corporate technology with trust as a result, and cybersecurity readiness is promoted.”
Maksym Babych is an MBA Ph.D. candidate and the CEO at SpdLoad, an MVP development company for startups.
“One of the most overlooked elements of preventing a supply chain attack is conducting thorough due diligence on third-party vendors and suppliers, including evaluating their security practices and policies.
Many organizations rely on third-party vendors for various services and products, and a supply chain attack can occur when a vulnerability in a vendor’s system is exploited to gain access to the target organization’s network.
Therefore, it’s crucial to vet vendors and suppliers thoroughly and regularly, as well as monitor their security practices and compliance with industry standards.”
Matt Kerr is the CEO and Founder of Applianced Geeked.
“This ingredient is astonishingly easy. Businesses, particularly small and medium-sized enterprises, neglect developing cybersecurity policies and procedures. A successful cybersecurity program integrates people, processes, and technology. Most firms overlook the first two and instead concentrate on technology such as firewalls, multi-factor authentication, and encryption.
However, the majority of successful cyber breaches are the result of human error. These phishing, social engineering, and credential compromise schemes culminate in business email compromise (fraud) or ransomware. The most effective method of prevention is to develop and implement effective policies (clearly defined expectations and norms) and processes.
While technology is vital, employees make mistakes, and organizations are jeopardized without managerial assistance and training.”
Eric Strickler is the Founder and CEO of PCRx Inc., a Managed Services Provider in Virginia.
“One of the more overlooked areas of supply chain injections and attacks is the implementation of stolen certs.
Large managed services providers and corporate IT professionals depend on automated tasks and patching to secure endpoints in the production environment. We tend to rely on big names like Intel to keep their releases clean and secure. However, in recent years we see an increasing number of compromises using stolen certs from these manufacturers to provide ‘signed’ drivers containing and deploying malware.”
Leo is the CEO and Co-founder at Cubo.
“The most overlooked element of preventing a supply chain attack is assessing hardware and software components. Hardware and software components are critical components of your organization’s supply chain, and any vulnerabilities in these components can create security risks. To mitigate these risks, you should perform a comprehensive assessment of all hardware and software components involved in the supply chain.
The assessment should include identifying any known vulnerabilities, reviewing patch management processes, and ensuring that all components are up-to-date and secure. You should also establish procedures for conducting regular security audits and penetration testing to identify any potential security gaps.”
Sean Stevens is the Director of ImmerseEducation. They empower motivated students from around the world with the knowledge and skills to succeed in their future by learning directly from experts in immersive environments.
“Adopt a comprehensive strategy to protect your network in order to effectively counteract internet-based attacks, they must be halted in their tracks at the user’s terminal. If you want to protect your supply chain from assaults, you must take steps to secure these touchpoints.
A managed detection and response (MDR) solution and an efficient endpoint detection and response (EDR) system are two options for keeping an eye on potentially harmful activity in the network. By dividing your network into smaller, more manageable pieces, you can prevent hackers from spreading laterally across your system and gaining access to more sensitive information.”
Michael Hess is the eCommerce Strategy Lead at Code Signing Store.
“Create a disaster recovery/incident response (IR) strategy. Although putting up an IR can feel like an insurmountable task, it need not be so hard. Thank goodness, there are pre-existing frameworks from which a company can choose the best option for itself.
Check out NIST’s (National Institute of Standards and Technology) incident handling guide if you’re at a loss for a foundational document to work from. When something goes wrong, make sure you notify your stakeholders and consumers as soon as possible so that you may take the necessary measures to fix the situation.”
Brad Anderson is the Executive Director of FRUITION, with 20 years of winning at digital.
“Do due diligence on any and all outside vendors. It’s not always easy to build trust online. After all, a foolproof method does not exist — either domestically or globally — to determine whether or not a given seller can be trusted. There are, however, measures you may take to guarantee the highest level of safety for your vendors.
Come up with a set of criteria for evaluation that will be used to judge all vendors equally.
Each vendor should be able to provide a high-level overview of the security measures it has put in place and the measures taken to ensure the security of each individual piece of software or hardware.
See how the Consortium for Information and Software Quality, an organization working to establish standards for software reliability, is progressing. In the future, these criteria could help your organization decide which vendors to work with.”
Joe Troyer is the CEO & Head of Growth of DigitalTriggers.
“Keep an eye out for new updates. You do know that updating your program will fix bugs and make it better, right? It’s not the case every time. Malware can be automatically installed in some supply chain attacks because they are linked to software upgrades. Because software upgrades are so difficult to monitor for malware, this is one of the trickier hacks to detect.
If even Microsoft overlooked the SolarWinds update’s malicious code, it’s likely you will too. Have you considered not updating your software? In a word, no. Software without the latest patches is especially susceptible to zero-day exploits. When compared to up-to-date software, this greatly increases the risk. Making sure your providers have proper code verification techniques in place is the best way to stop supply chain attacks via software updates.”
Jamie Irwin is a Digital Marketing Expert at TutorCruncher — one platform to manage and grow your tutoring business.
“Zero Trust Architecture (ZTA) is, in my view, the most underappreciated factor in thwarting a supply chain attack. All network activity is treated as potentially harmful in a Zero Trust Architecture. Each request to connect must first comply with a long range of policies before any data containing intellectual property can be accessed.
The Policy Engine uses the Trust Algorithm’s guidelines to determine if a packet should be allowed over the network. In either case, the Policy Administrator will let the Policy Enforcement Point know what the Policy Engine decided. If a request is denied or granted by the Policy Engine, it is the Policy Enforcement Point’s job to make the ultimate call.”
Alex Contes is the Co-Founder & SaaS Expert of ReviewGrower.
“The data leak is the most underappreciated factor in stopping a supply chain attack. Assuming a breach has already occurred encourages one to adopt a Zero Trust Architecture.
An organization adopts an Assume Breach approach if it believes a data breach is inevitable rather than merely possible. This mental adjustment is what’s needed to implement active cyber protection techniques across all weak points in an organization’s network.”
Jeremy Cai is the business founder and CEO of Italic — a contemporary brand that uses the same manufacturers as traditional luxury brands but with a direct-from-factory model to deliver exceptional quality for unparalleled value.
“The most overlooked elements of preventing a supply chain attack are:
One of the most significant risks associated with supply chain attacks is third-party vendors. These vendors may have vulnerabilities in their systems or may be targeted by hackers looking to exploit these vulnerabilities.
To prevent these attacks, it is important to have a comprehensive vendor management program in place. This program should include regular assessments of vendor security, including vulnerability scans and penetration testing. It is also important to have clear policies in place for handling vendor security incidents, such as reporting requirements and incident response procedures.
Another often overlooked element of preventing supply chain attacks is employee education. Many attacks are successful because employees are not aware of the risks associated with their actions, such as clicking on a malicious link or downloading an infected attachment. By educating employees about the risks of supply chain attacks and providing them with training on how to identify and avoid these risks, companies can significantly reduce the likelihood of a successful attack.
In addition to these two elements, it is also important to have a comprehensive security program in place that includes regular vulnerability assessments, incident response procedures, and a strong security culture throughout the organization.
Supply chain attacks are a growing threat to businesses of all sizes, but with the right approach, they can be effectively mitigated. As a business owner, it is important to be proactive in identifying and addressing potential vulnerabilities in your supply chain to protect your business and your customers.”
Rahul Vij is the CEO of WebSpero Solutions, a digital marketing agency.
“The most overlooked element of preventing a supply chain attack is often the security of third-party vendors and partners.
Many organizations rely on third-party vendors and partners for various services, including marketing, web development, and hosting. These vendors and partners often have access to sensitive data and systems, which can be compromised if their security measures are not up to par.
To prevent a supply chain attack, it is essential to thoroughly vet all third-party vendors and partners and ensure that they have adequate security measures in place. This includes conducting regular security assessments, monitoring vendor and partner activity, and enforcing strong security policies and protocols.
In addition, it is crucial to have a comprehensive incident response plan in place in case a supply chain attack does occur. This should include regular training and testing of the plan, as well as clear communication channels and protocols for responding to an attack.
Ultimately, preventing a supply chain attack requires a multi-layered approach that includes not only strong internal security measures but also robust oversight and management of third-party vendors and partners.”
Steve Pogson is the Founder & eCommerce Strategy Lead at FirstPier.
“Identify potential vulnerabilities. Evaluation of third-party suppliers enables companies to determine whether or not their supply chain is susceptible to any potential weaknesses.
This can involve identifying vendors that may not have suitable security measures in place. Identifying vendors who have a history of security breaches can also fall under this category.”
Salim Benadel is the Director at Storm Internet.
“Secure the supply chain at every stage. Attacks on the supply chain can take place at every stage of the supply chain, from the point of manufacture to the point of retail. It is imperative to implement supply chain security measures at each level to prevent vulnerabilities.
Implementing safety precautions like data encryption, firewalls, and intrusion detection systems are all examples of what this may entail. It is essential to conduct routine audits and make necessary modifications to security procedures to keep these safeguards relevant and efficient.”
Jeff Mains is a 5x Entrepreneur and CEO of Champion Leadership Group LLC.
“A supply chain attack is a form of cyberattack that targets the weak links in a supply chain to gain unauthorized access to valuable information, data, or assets. The attack is usually aimed at compromising the software or hardware components of a third-party vendor that is part of the supply chain.
Although many organizations have implemented various cybersecurity measures to prevent supply chain attacks, there are still some overlooked elements that need to be addressed. That being said, the most overlooked elements of preventing a supply chain attack are the following.
Regular Security Audits
One overlooked element of preventing a supply chain attack is regular security audits. Organizations should conduct regular security audits of their entire supply chain to identify any vulnerabilities that could be exploited by attackers. These audits should include reviewing security policies, procedures, and practices to ensure that they are up-to-date and in line with industry standards.
Multi-factor authentication (MFA) is a security measure that is often overlooked but can be effective in preventing supply chain attacks. MFA requires users to provide more than one form of authentication, such as a password and a one-time code, to gain access to a system or application. This makes it difficult for attackers to gain unauthorized access to the organization’s systems, even if they have obtained the user’s login credentials.”
Supply chain attacks are increasingly common in the digital age, as more companies rely on more complex networks of vendors, services, and open-source software and libraries. By ensuring that you’re not overlooking any of these important elements, you’ll bolster your company’s defenses against supply chain attacks.
You can avoid these mistakes by partnering with a supply chain management (SCM) consultant like Argano. By working with Argano, you can tap into our consultants’ wealth of expertise and experience in implementing digital supply chain systems that optimize visibility, agility, and resilience in supply chain management.
Argano creates customized SCM solutions that meet unique business goals while also putting appropriate safeguards in place to secure the supply chain. Contact us today to learn how we can help you develop and implement an intelligent SCM solution that supports your operations and reduces supply chain risks.