The SolarWinds cyberattack of late 2020 could mark the moment businesses finally confront the scale of challenge they face in securing their supply chains.<\/p>\r\n
SolarWinds reads like a hacker\u2019s fantasy: compromise a single obscure company and in doing so gain secret access to thousands of its highly-prized customers across the world. Better still, none of the victims would suspect a thing because, after all, SolarWinds was a trusted supplier nobody worried about. If security company FireEye hadn\u2019t joined the dots<\/a> in December this extraordinary incident might have gone unnoticed for years rather than months.<\/p>\r\n SolarWinds isn\u2019t the only recent example of this phenomenon. In April, a vulnerability in developer auditing tools produced by a company called Codecov allowed attackers to target hundreds of its customers<\/a>. Likewise, the targeting of Accellion\u2019s File Transfer Appliance (FTA) product using multiple zero-day vulnerabilities which left several hundred customers still using it badly exposed. What made the latter particularly telling was that the FTA was a 20 year-old old product, a good example of how even legacy supply chains organisations think they\u2019ve moved on from can come back to bite them years later.<\/p>\r\n None of this was exactly new. In 2011 the encryption IP behind RSA\u2019s highly-regarded SecureID hardware authentication tokens was compromised by hackers<\/a>, which led to the company having to replace 40 million expensive tokens at huge expense after attacks against customers were detected. Everyone thought RSA was an unlucky one-off and everyone, we now know, was wrong.<\/p>\r\n Supply chains vary by industry sector but can include not only technology providers, but potentially any third-party with which an organisation has a trusted relationship.\u00a0 Every organisation, including SMEs, will have a list of these, usually outsourcing or commercial partners of one sort or another. The danger they pose is proportional to the amount of access they have to a company\u2019s systems, its data, and in some cases its premises.<\/p>\r\n From a cybersecurity point of view, the problem is that no matter how well an organisation secures its own infrastructure, it can\u2019t be sure that its partners are doing as good a job. The security state of that partner is often taken on trust. Organisations can\u2019t just cut themselves off from outsiders in an era when technology, data sharing and outsourcing have become fundamental to doing business.<\/p>\r\n Can such a problem with supply chains ever be solved? Around 15 years ago a group of inspired British CISOs from the Jericho Forum came up with an idea which eventually coalesced into what is now called \u2018zero trust security\u2019. You\u2019ll find various overlapping definitions<\/a> of what this means but it can be reduced to a simple principle: assume the worst and trust nobody. In the last decade, the rapid growth in cybercrime has turned it from a collection of discussion documents read by a small group of thinkers to the cybersecurity equivalent of the ten commandments.<\/p>\r\n Zero trust principles and best practices can be applied to SME supply chain security in different ways.<\/p>\r\n Cyber Security risks<\/a> are becoming among the most significant for today\u2019s businesses and it is clear that a robust approach to security will be required for most, if not all, organisations. Yet not all business risks are internal and, as this article shows, many risks result from supplier relationships.<\/p>\r\n Having agreements in place with your suppliers to address these security risks is critical, as will be the need to ensure they are adhering to the terms of any agreement.<\/p>\r\n If you would like to explore options for improving your business security contact us to speak with one of our advisers. We offer a range of services from e-learning for your staff<\/a> to cyber essentials<\/a> and ISO 27001 certification<\/a>. Complete this form<\/a> or call us on 0800 404 7007<\/strong> \u2013 we\u2019re here to help!<\/p>","protected":false},"excerpt":{"rendered":"The 2020 SolarWinds cyberattack could mark the moment businesses confront the scale of challenge they face in securing their supply chains.","protected":false},"author":24,"featured_media":6258,"template":"","meta":{"_acf_changed":false,"_searchwp_excluded":"","footnotes":""},"standard-post-categories":[31],"standard-post-tags":[32],"class_list":["post-6257","standard-post-filter","type-standard-post-filter","status-publish","has-post-thumbnail","hentry","standard-post-categories-insights","standard-post-tags-cyber-essentials"],"acf":[],"yoast_head":"\n\u00a0<\/h2>\r\n
What Is a Supply Chain?<\/h2>\r\n
\u00a0<\/h2>\r\n
Zero Trust<\/h2>\r\n
\u00a0<\/h2>\r\n
Supply Chain Security Best Practices<\/h2>\r\n
\r\n\t
\u00a0<\/h2>\r\n
Conclusion<\/h2>\r\n