Have a question? Connect with an Argano expert!
A subject matter expert will reach out to you within 24 hours.
Cybercriminals find the supply chain an appealing target. Attacking a vendor that serves dozens to thousands of companies is a highly effective way to ensure malware or another type of attack spreads as far and as fast as possible.
Supply chain security is not at the top of every company’s mind today. Yet, businesses are advancing interoperability and improving visibility to strengthen their supply chain strategies and resilience. These activities include implementing fully integrated enterprise resource planning (ERP) systems or customer relationship management (CRM) systems, aggregating valuable data in a central location, significantly enhancing productivity and profitability, and more. However, without adequate security measures, they also can increase supply chain risk.
If you visit leading supply chain blogs, you will encounter articles warning of the risk of supply chain attacks. While awareness is growing of the need to protect the supply chain adequately, most organizations focus on what they can control: their own networks, applications, and endpoints.
As businesses acknowledge the potential threats within their supply chains and implement measures to mitigate them, several critical aspects frequently go unaddressed. These include employing supply chain analytics to pinpoint risks, conducting thorough due diligence during vendor contracts, addressing vulnerabilities faced by software developers — especially those dependent on open-source software or libraries — and improving visibility into the entire network of software components utilized by the company.
To help you develop a robust security posture that protects your company’s sensitive data not only in your own network but across the supply chain, we reached out to a panel of supply chain, IT, and cybersecurity professionals and asked them to answer this question:
“What’s the most overlooked element of preventing a supply chain attack?”
|
|
|
Read on to learn what our panel had to say about the crucial elements of preventing supply chain attacks that you might be overlooking.
Ryan Johnson, Esq. FIP, CIPP, CIPM, Savvas Learning Co. Chief Privacy Officer, is a certified data privacy and cybersecurity attorney, public speaker, and author with 25 years of experience in business, technology, and finance.
“One of the most overlooked elements of supply chain risk is simply performing adequate due diligence when selecting, onboarding, and assessing supply chain vendors. Ideally, vendors should be tiered based on the level of access, the threat posed, and the severity of the compromise.
Vendors should be assessed on an annual basis and removed if they fail to meet minimum basic information security requirements. Unfortunately, the loss of business is the number one driver or motivator of beefed-up security efforts.”
Pete Morgan, Phylum Co-founder, is a security researcher with a long history in research and consulting organizations.
“The most overlooked element of a software supply chain attack is that these incidents are highly targeted at software developers.
In fact, developers are the new high-value targets of cybersecurity attacks. The bad actors who orchestrate software supply chain attacks know how developers work and focus on weak links where they can gain access to a developer’s credentials.
For example, they know that developers rely on open-source software to help them speed up the development of new software products. They know that by focusing their attacks on developers, they can get their hands on high-value assets such as cloud access keys, SSH keys, signing keys, and other secrets. These keys often live for long periods of time, meaning an undetected compromise allows attackers plenty of access and time to plan out the next stages carefully.
There are a number of blind spots to exploit because the software supply chain is a constantly changing concept. Open-source packages are used in 85% to 95% of applications and are created and maintained by strangers on the internet. Developers use these packages without oversight or control by the security team. It’s a perfect storm, and it’s growing by the day.”
Nathaniel Cole, TreviPay Chief Information Security Officer, has 15 years of experience building and running modern security programs. He writes a cybersecurity advice column for business leaders at NetworkAssured.com.
“The most overlooked element of supply chain security is related to software dependencies. Many companies are focused on the business’s security controls, certifications, and processes, which all help to secure the company. But how many companies actually understand all of the software components that they have in use? In my experience, the answer is: not very many.
This is becoming a common attack vector as we move into 2023, as evidenced by the multiple recent attacks where data-stealing malware has been embedded into PyPi.”
Miclain Keffeler, West Tennessee Consulting Co-founder and CTO, is an IT Cybersecurity leader with many years of experience in cybersecurity and analytics.
“Supply chain attacks are complex to pull off, but simple to prevent SCA or Software Composition Analysis is a simple process used to detect publicly disclosed vulnerabilities contained within a project’s dependencies and the dependencies’ dependencies. This is the most overlooked element of preventing supply chain attacks.
Often referred to as sub-dependencies, these are situations such as when a library that you are using relies on other libraries to do its job. Especially in the open-source world, this is where the rubber meets the road.
Oftentimes attackers will introduce a new dependency in these commonly used libraries and then infect that dependency, either because they own it or it’s also open source and they can contribute code to it themselves. Not all projects implement the same security standards, so they could easily not realize what happened or why.
This also plays out with vendors. For example, if you didn’t know any better, you would think West Tennessee Consulting could be vulnerable to this. We help clients with software projects,
both on-premise and in the cloud. Clients could hire us, and we could develop code to solve their problems and unwittingly introduce a backdoor or a vulnerable dependency into our client’s environment.
How would you know this happened? Likely not until it was too late. This is why it’s so important to follow common security practices like SCA and more. When WTC does a project, SCA is actually only one small part of all the security standards that must be met before code is delivered to one of our clients. But this isn’t standard, which is part of the reason supply chain attacks are common, and it can cause real harm as you read on the news all too often.”
@bradenmperry
Braden Perry, a former federal enforcement attorney and CCO of a financial firm, is a regulatory and government investigations attorney with Kansas City-based Kennyhertz Perry, LLC.
“I work with a number of vendors on data breaches. When it comes to breaches in vendor-heavy industries, there are threats not only from insiders but significantly from outsiders as well. Generally, there’s more of a threat by rouge insiders.
There’s not much, besides compartmentalization and monitoring, you can do if an insider wants to reach data. For outsiders, including vendors, most attacks compromise legitimate websites to deliver malicious payloads which can then reach data. This can usually be prevented.
While no single strategy fits all, practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized hosts and networks, and including enhanced monitoring to detect known security events is a must. With a well-oiled cyber policy, you can mitigate outsiders significantly.
Specifically for supply chains, it is critical to monitor and review your vendors and to mitigate any excess entry points into the system. Target and Home Depot are high-profile examples of supply chain monitoring gone wrong.
Following critical data and the data stream can identify areas where more monitoring is required and can also minimize undetected intrusions. While it is impossible to prevent all intrusions, having a cyber policy that identifies weaknesses within the supply chain and enhancing security/monitoring will lessen the risk of landing on the ever-increasing list of companies breached.
Also, I’m seeing increased understanding and engagement at the top management and board levels. Traditionally, IT was not understood, and management would not understand the role and responsibility of IT departments. Now, you must have board and/or top management engagement. The main pain point from IT is the need for the latest resources to keep a company safe. Many companies don’t upgrade their information security systems enough, and the technology to breach critical systems is advancing much faster than companies’ security.
The Board must understand the issues and the potential harm to a company if a breach occurs (see Walmart, Home Depot, Yahoo, etc.). Having a sophisticated Board, not only for business but in today’s cyber and IT security is a must to understand the issues and protect the company from these types of harm.
Translating an understanding of the importance of a proactive IT security policy, and feeling like the company is on board with IT security efforts are also crucial. Many companies have very robust policies and procedures for their business processes, which sophisticated Board members can understand. IT is different. It’s a different language for a business person, and unfortunately, most Board members will ignore or defer on issues they don’t understand. So when an IT department presents a robust plan for proactive IT security, it may go ignored or disregarded. This can lead to a reactive plan only that focuses on the when as opposed to prevention.
As mentioned above, IT is a different language. It’s becoming more important, and almost imperative, that a Board has an experienced IT/cybersecurity liaison to be the go-between and translate the IT language into business language and vice versa. More often the Board simply doesn’t understand an issue.
When I am engaged to investigate and report, it ordinarily is an issue that could have been resolved without outside counsel, but a lack of clear communication between IT and the Board stymied that understanding. It’s imperative in most companies to have a Board member knowledgeable in the area that can understand and communicate issues related to IT security and have a voice in an area that most board members don’t understand.”
Kimberly DeCarrera, founder of DeCarrera Law, is a seasoned attorney who has served as Outside General Counsel to a variety of companies, including those in the supply chain, from manufacturers to distributors to logistics to retailers.
“The most overlooked element in preventing a cyber attack on the supply chain is the human element. Most attacks are going to involve some sort of human intervention — from clicking on a phishing email all the way to intentional acts.
Most plans target the technology because that’s what we automatically think: upgrades, patches, firewalls, etc. But we cannot ignore the risk from the people that use the systems. They must be trained in identifying the threats to the system. And systems must be put in place to identify and prevent intentional bad acts — from termination procedures to auditing access logs.”
Harmandeep Singh, Cyphere Director, has extensive experience and an in-depth understanding of security frameworks, compliance, and best practices to deliver strategic guidance, proactive risk identification, and defense planning tailored to unique needs..
“The most overlooked element of preventing a supply chain attack is the implementation of secure protocols and procedures to ensure that all data is properly protected.
This includes the use of encryption, access control, secure authentication, and secure server configurations. Additionally, organizations should regularly monitor their supply chain partners for any suspicious activity and ensure that their networks and systems are regularly updated with the latest security patches.”
Isla Sibanda, Cybersecurity Specialist, has an extensive background in ethical hacking at PrivacyAustralia.net.
“The most overlooked element of preventing a supply chain attack is the failure to manage access.
Most businesses tend to neglect the importance of having secure privileged access management in place. Once a defense has been breached, cyber attackers will move laterally throughout the ecosystem. They will do so in search of privileged accounts.
These accounts, in particular, are targeted as they are the sole accounts that can access sensitive data. This is a predictable course of action cyber attackers are expected to take and is known as the Privileged Pathway. This is why secure privileged access management is critical to a supply chain’s safety.”
Simonas Steponaitis, Health & Wellness Media Head of Growth Marketing, helps businesses grow through various digital marketing channels in highly competitive markets.
“The most overlooked element of preventing a supply chain attack is third-party vendor risk management. Third-party vendors are a critical component of many organizations’ supply chains, and they can introduce significant security risks if not properly managed.
Organizations should conduct regular risk assessments of their third-party vendors and establish security controls to mitigate the risk of a supply chain attack. This may include background checks, security certifications, and regular security audits.
Organizations should also establish clear communication channels with their vendors to quickly identify and respond to potential security incidents.”
Joanne King, ICMP Marketing Director, is a digital marketing and technology expert with over 15 years of experience in e-commerce and Higher Education settings.
“The most overlooked element of preventing a supply chain attack is end-of-life management, which refers to the process of securely disposing of products and services that are no longer needed. This includes products and services that are no longer in use, as well as those that have reached the end of their useful life.
Organizations should establish clear processes for decommissioning and disposing of these products and services, including wiping data from storage devices, securely destroying physical components, and disposing of electronic waste in an environmentally responsible manner.”
Kyle MacDonald, Force by Mojio Director of Operations, has a proven track record of building brands and executing successful marketing campaigns.
“One of the hardest parts of preventing supply chain attacks is detecting them before they rise to the level of a crisis. This is where honeytokens come in. These are essentially fake points of access or pieces of data that are designed to be found by hackers — who will reveal their presence by going after them. This can alert you to potential vulnerabilities right away and allow you to take effective countermeasures.”
Almi Dumi, Main Line Health Information Security Manager, holds numerous certifications, including ITIL IT Service Management, PCI-QIR, WatchGuard Certified System Professional, Lean Six Sigma, and several Microsoft Professional certifications.
“The most overlooked element of preventing a supply chain attack is verifying supply chain email security training. Email remains the primary attack method for cybercriminals. Business leaders must build essential cybersecurity awareness with regular security training for employees and ensure that it’s also done for supply chain employees.
In the supply chain, everyone plays a significant role in cybersecurity. Make sure that your vendors’ employees receive the necessary email security training and tools to take responsibility for securing their systems. If hackers gain access to your vendors’ systems through email or another form of social engineering, they can use that as a bridge into your network.
Continuous training over time is the best way to get people to understand the concepts of email security while also reminding them of older, more common risks, and newly emerging risks. Leaders who combine that with top-notch email security technology have an effective email security program.”
Brenton Thomas, Founder of Twibi, is a marketing expert with 5+ years of experience generating revenue for B2B and B2C clients’ brands.
“The most overlooked element of preventing a supply chain attack is often the human factor.
Many organizations focus on securing their technology systems and fail to address the risks posed by their vendors or contractors who have access to their systems. Supply chain attacks often occur due to a lack of proper security protocols and awareness within a vendor’s organization.
For example, a vendor’s employee could inadvertently introduce malware into an organization’s systems by clicking on a malicious link or downloading a file.
To prevent supply chain attacks, it’s essential to have a comprehensive security strategy that includes training and awareness programs for both employees and vendors, as well as implementing strict access controls and monitoring mechanisms.”
Omer Usanmaz, Qooper CEO and Co-Founder, enables companies to run mentorship, coaching, and training programs with best practices, software solutions, and analytics.
“The most overlooked element of preventing a supply chain attack is the deficiency of a cybersecurity culture in businesses. Organizations need strong cybersecurity cultures because of the prevalence of cloud computing, remote work opportunities, and digital transformation projects.
Employees should be encouraged to regularly contribute to its improvement in order to create a strong line of defense against hacker attacks or data breaches. Every organization should provide security awareness training to teach staff cybersecurity fundamentals including identifying dangers and avoiding them as well as the importance of destroying passwords. Employees may use corporate technology with trust as a result, and cybersecurity readiness is promoted.”
Maksym Babych, SpdLoad CEO, streamlines business processes through tailored software development, targeted technical support, and insightful IT consulting.
“One of the most overlooked elements of preventing a supply chain attack is conducting thorough due diligence on third-party vendors and suppliers, including evaluating their security practices and policies.
Many organizations rely on third-party vendors for various services and products, and a supply chain attack can occur when a vulnerability in a vendor’s system is exploited to gain access to the target organization’s network.
Therefore, it’s crucial to vet vendors and suppliers thoroughly and regularly, as well as monitor their security practices and compliance with industry standards.”
Matt Kerr, AppliancedGeeked CEO and Founder, helps homeowners tackle their appliance repairs themselves and save on professional repair fees.
“This ingredient is astonishingly easy. Businesses, particularly small and medium-sized enterprises, neglect developing cybersecurity policies and procedures. A successful cybersecurity program integrates people, processes, and technology. Most firms overlook the first two and instead concentrate on technology such as firewalls, multi-factor authentication, and encryption.
However, the majority of successful cyber breaches are the result of human error. These phishing, social engineering, and credential compromise schemes culminate in business email compromise (fraud) or ransomware. The most effective method of prevention is to develop and implement effective policies (clearly defined expectations and norms) and processes.
While technology is vital, employees make mistakes, and organizations are jeopardized without managerial assistance and training.”
Eric Strickler, PCRx Inc. Founder and CEO, holds several advanced computer degrees and certifications, including Microsoft Core Systems Engineer (MCSE), Information Security Specialist (ISS), A+ hardware certification, and Network Design and Administration (NDA).
“One of the more overlooked areas of supply chain injections and attacks is the implementation of stolen certs.
Large managed services providers and corporate IT professionals depend on automated tasks and patching to secure endpoints in the production environment. We tend to rely on big names like Intel to keep their releases clean and secure. However, in recent years we see an increasing number of compromises using stolen certs from these manufacturers to provide ‘signed’ drivers containing and deploying malware.”
Leo Ye, Cubo CEO and Co-founder, designed Cubo to improve team collaboration by bringing members together in one location, conveniently migrating business connections from offline to online.
“The most overlooked element of preventing a supply chain attack is assessing hardware and software components. Hardware and software components are critical components of your organization’s supply chain, and any vulnerabilities in these components can create security risks. To mitigate these risks, you should perform a comprehensive assessment of all hardware and software components involved in the supply chain.
The assessment should include identifying any known vulnerabilities, reviewing patch management processes, and ensuring that all components are up-to-date and secure. You should also establish procedures for conducting regular security audits and penetration testing to identify any potential security gaps.”
Sean Stevens, ImmerseEducation Director, is passionate about developing futures through education.
“Adopt a comprehensive strategy to protect your network in order to effectively counteract internet-based attacks, they must be halted in their tracks at the user’s terminal. If you want to protect your supply chain from assaults, you must take steps to secure these touchpoints.
A managed detection and response (MDR) solution and an efficient endpoint detection and response (EDR) system are two options for keeping an eye on potentially harmful activity in the network. By dividing your network into smaller, more manageable pieces, you can prevent hackers from spreading laterally across your system and gaining access to more sensitive information.”
Michael Hess is the eCommerce Strategy Lead of Code Signing Store.
“Create a disaster recovery/incident response (IR) strategy. Although putting up an IR can feel like an insurmountable task, it need not be so hard. Thank goodness, there are pre-existing frameworks from which a company can choose the best option for itself.
Check out NIST’s (National Institute of Standards and Technology) incident handling guide if you’re at a loss for a foundational document to work from. When something goes wrong, make sure you notify your stakeholders and consumers as soon as possible so that you may take the necessary measures to fix the situation.”
Brad Anderson, FRUITION Executive Director, has 20 years of experience creating and growing businesses that leverage technology to solve problems, generate value, and enhance security.
“Do due diligence on any and all outside vendors. It’s not always easy to build trust online. After all, a foolproof method does not exist — either domestically or globally — to determine whether or not a given seller can be trusted. There are, however, measures you may take to guarantee the highest level of safety for your vendors.
Come up with a set of criteria for evaluation that will be used to judge all vendors equally.
Each vendor should be able to provide a high-level overview of the security measures it has put in place and the measures taken to ensure the security of each individual piece of software or hardware.
See how the Consortium for Information and Software Quality, an organization working to establish standards for software reliability, is progressing. In the future, these criteria could help your organization decide which vendors to work with.”
Joe Troyer, DigitalTriggers CEO & Head of Growth, is an internet entrepreneur helping businesses increase profitability since 2005.
“Keep an eye out for new updates. You do know that updating your program will fix bugs and make it better, right? It’s not the case every time. Malware can be automatically installed in some supply chain attacks because they are linked to software upgrades. Because software upgrades are so difficult to monitor for malware, this is one of the trickier hacks to detect.
If even Microsoft overlooked the SolarWinds update’s malicious code, it’s likely you will too. Have you considered not updating your software? In a word, no. Software without the latest patches is especially susceptible to zero-day exploits. When compared to up-to-date software, this greatly increases the risk. Making sure your providers have proper code verification techniques in place is the best way to stop supply chain attacks via software updates.”
Jamie Irwin, Straight Up Search Director & Search Marketing Expert, whose passion for search engine traffic leads a bespoke, full-service SEO agency committed to driving organic growth and enhancing online visibility for small to medium-sized businesses across the globe.
“Zero Trust Architecture (ZTA) is, in my view, the most underappreciated factor in thwarting a supply chain attack. All network activity is treated as potentially harmful in a Zero Trust Architecture. Each request to connect must first comply with a long range of policies before any data containing intellectual property can be accessed.
The Policy Engine uses the Trust Algorithm’s guidelines to determine if a packet should be allowed over the network. In either case, the Policy Administrator will let the Policy Enforcement Point know what the Policy Engine decided. If a request is denied or granted by the Policy Engine, it is the Policy Enforcement Point’s job to make the ultimate call.”
Alex Contes is the Co-Founder & SaaS Expert of ReviewGrower.
“The data leak is the most underappreciated factor in stopping a supply chain attack. Assuming a breach has already occurred encourages one to adopt a Zero Trust Architecture.
An organization adopts an Assume Breach approach if it believes a data breach is inevitable rather than merely possible. This mental adjustment is what’s needed to implement active cyber protection techniques across all weak points in an organization’s network.”
Jeremy Cai, Italic Founder and CEO — a contemporary brand that uses the same manufacturers as traditional luxury brands but with a direct-from-factory model to deliver exceptional quality for unparalleled value.
“The most overlooked elements of preventing a supply chain attack are:
Vendor Management
One of the most significant risks associated with supply chain attacks is third-party vendors. These vendors may have vulnerabilities in their systems or may be targeted by hackers looking to exploit these vulnerabilities.
To prevent these attacks, it is important to have a comprehensive vendor management program in place. This program should include regular assessments of vendor security, including vulnerability scans and penetration testing. It is also important to have clear policies in place for handling vendor security incidents, such as reporting requirements and incident response procedures.
Employee Education
Another often overlooked element of preventing supply chain attacks is employee education. Many attacks are successful because employees are not aware of the risks associated with their actions, such as clicking on a malicious link or downloading an infected attachment. By educating employees about the risks of supply chain attacks and providing them with training on how to identify and avoid these risks, companies can significantly reduce the likelihood of a successful attack.
In addition to these two elements, it is also important to have a comprehensive security program in place that includes regular vulnerability assessments, incident response procedures, and a strong security culture throughout the organization.
Supply chain attacks are a growing threat to businesses of all sizes, but with the right approach, they can be effectively mitigated. As a business owner, it is important to be proactive in identifying and addressing potential vulnerabilities in your supply chain to protect your business and your customers.”
Rahul Vij, WebSpero Solutions CEO, envisioned a digitally inclusive future leading him to create one of India’s top ten digital marketing agencies.
“The most overlooked element of preventing a supply chain attack is often the security of third-party vendors and partners.
Many organizations rely on third-party vendors and partners for various services, including marketing, web development, and hosting. These vendors and partners often have access to sensitive data and systems, which can be compromised if their security measures are not up to par.
To prevent a supply chain attack, it is essential to thoroughly vet all third-party vendors and partners and ensure that they have adequate security measures in place. This includes conducting regular security assessments, monitoring vendor and partner activity, and enforcing strong security policies and protocols.
In addition, it is crucial to have a comprehensive incident response plan in place in case a supply chain attack does occur. This should include regular training and testing of the plan, as well as clear communication channels and protocols for responding to an attack.
Ultimately, preventing a supply chain attack requires a multi-layered approach that includes not only strong internal security measures but also robust oversight and management of third-party vendors and partners.”
Steve Pogson, FirstPier Founder & eCommerce Strategy Lead, has a demonstrated history of working in the marketing, DTC, and eCommerce industries.
“Identify potential vulnerabilities. Evaluation of third-party suppliers enables companies to determine whether or not their supply chain is susceptible to any potential weaknesses.
This can involve identifying vendors that may not have suitable security measures in place. Identifying vendors who have a history of security breaches can also fall under this category.”
Salim Benadel is the Director of Storm Internet.
“Secure the supply chain at every stage. Attacks on the supply chain can take place at every stage of the supply chain, from the point of manufacture to the point of retail. It is imperative to implement supply chain security measures at each level to prevent vulnerabilities.
Implementing safety precautions like data encryption, firewalls, and intrusion detection systems are all examples of what this may entail. It is essential to conduct routine audits and make necessary modifications to security procedures to keep these safeguards relevant and efficient.”
Jeff Mains is a 5x Entrepreneur and CEO of Champion Leadership Group LLC.
“A supply chain attack is a form of cyberattack that targets the weak links in a supply chain to gain unauthorized access to valuable information, data, or assets. The attack is usually aimed at compromising the software or hardware components of a third-party vendor that is part of the supply chain.
Although many organizations have implemented various cybersecurity measures to prevent supply chain attacks, there are still some overlooked elements that need to be addressed. That being said, the most overlooked elements of preventing a supply chain attack are the following.
Regular Security Audits
One overlooked element of preventing a supply chain attack is regular security audits. Organizations should conduct regular security audits of their entire supply chain to identify any vulnerabilities that could be exploited by attackers. These audits should include reviewing security policies, procedures, and practices to ensure that they are up-to-date and in line with industry standards.
Multi-Factor Authentication
Multi-factor authentication (MFA) is a security measure that is often overlooked but can be effective in preventing supply chain attacks. MFA requires users to provide more than one form of authentication, such as a password and a one-time code, to gain access to a system or application. This makes it difficult for attackers to gain unauthorized access to the organization’s systems, even if they have obtained the user’s login credentials.”
Supply chain attacks are increasingly common in the digital age, as more companies rely on more complex networks of vendors, services, and open-source software and libraries. By ensuring that you’re not overlooking any of these important elements, you’ll bolster your company’s defenses against supply chain attacks.
You can avoid these mistakes by partnering with a supply chain management (SCM) consultant like Argano. By working with Argano, you can tap into our consultants’ wealth of expertise and experience in implementing digital supply chain systems that optimize visibility, agility, and resilience in supply chain management.
Argano creates customized SCM solutions that meet unique business goals while also putting appropriate safeguards in place to secure the supply chain. Contact us today to learn how we can help you develop and implement an intelligent SCM solution that supports your operations and reduces supply chain risks.
A subject matter expert will reach out to you within 24 hours.