Supply chain, the weakest link in cybersecurity


Supply chains present a weak link for cybersecurity because organisations can’t always control the security measures taken by supply chain partners. This can create opportunities for cybercriminals to attack an organisation by first infiltrating a supply chain partner. Organisations and their partners need to be aware of this risk and act to protect each other, according to Palo Alto Networks.

Sean Duca, vice president and chief security officer, Asia Pacific, Palo Alto Networks, said, “Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level. Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak.”

Software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer. Hackers are dodging traditional cyber defences to compromise software and delivery processes. This lets them disrupt large numbers of systems through a single attack. Companies that use the corrupted software could fall victim to ransomware attacks, lose valuable proprietary information, and be subject to commercial sabotage.

Sean Duca said, “Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected.

“In today’s world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection.”

Palo Alto Networks recommends three key ways to secure the supply chain:

1. Review internal and external security procedures: Organisations should not only review their own internal infrastructures, but also vendors’ and partners’. While internal systems might have strong security practices for thwarting a wide range of direct attacks, third-party collaborators might not adhere to the same practices. Consequently, businesses need to thoroughly vet vendors before fully integrating them into internal infrastructures.

2. Establish written security guidelines and controls: Cybercriminals may use a supplier’s website to host malware. Where possible, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of such attacks. A written agreement should require vendors to provide timely notification of any internal security incidents as well as periodic security reports to regularly ascertain their security status.

3. Training/sharing security best practices with staff and vendors: While technology is essential, human error is still the primary source of data breaches. The recent Cyber Security Intelligence Index report by IBM revealed that 95 per cent of all security incidents involve human error, from following links to phishing scams to visiting bad websites, enabling viruses and falling victim to other advanced persistent threats.

Organisations must train all staff in security best practices. Training helps people to identify potential attacks and should be constantly refreshed so people can act as the first line of defence.

Sean Duca said, “Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information. Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain.”