It is nearly one year since we saw a nation-state attack on the SolarWinds network management system that affected public and private sector customers of its Orion product. With 18,000 downloading the impacted software, a much smaller number were compromised by follow-on activity on their systems. The breach was one of the biggest incidents in recent years with costs likely to be extensive. Sadly, the Kaseya VSA supply chain attack in July further highlighted that these types of attacks will not be the last and increase in frequency.
What is a supply chain attack? And why we should care
A supply chain attack, also called a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical organisation in the past few years, with more suppliers and service providers touching sensitive data than ever before.
New types of attacks, growing public awareness of the threats, and increased oversight from regulators is highlighting this growing trend. This means businesses and governments must do everything in their power to keep its supply chains running smoothly, or they risk losing sensitive data and harming your business' reputation and potentially resulting in operational downtime, financial losses, legal action, and regulatory fines.
Motivations and the biggest threats
Supply chain attacks are attractive to hackers because when commonly used software is compromised, the attackers can potentially gain access to all the enterprises that use that software.
Below are three of the biggest supply chain security threats that organisations and governments need to be aware of:
1. Data Protection
Data is an essential tool in keeping any business running. But it is also equally important to protecting your data from breaches and attacks. Data protection is vital in certain industries such as health care, fintech and ecommerce, but with these industries ever growing and profitable, attackers and bad actors have plenty of incentive to launch attacks.
2. Data Governance
As we live in a post pandemic world, we are seeing more companies adopt remote working and encourage their employees to talk via project management software and mobile apps. So, the surface area the business must oversee has become larger. Organisations must use best practices for handling threats and enforce new standards on how their employees and suppliers’ access and share data.
3. Third-Party Risk
Everyday products like computers, mobile phones and even cars are growing more complex, as are software solutions that incorporate multiple cloud services. They may require four or more supplier tiers to reach the finished solution or product. Although better products are good for the market, working with external partners also increases the risk to the supply chain.
How to prevent supply chain attacks
Last year’s SolarWinds Orion data breach not only demonstrated the devastating potential of supply chain attacks, but it also exposed concerning vulnerabilities in conventional defence methods that make such attacks possible. Even though the SolarWinds breach was one of the most sophisticated cyberattack in history, there are still tactics and best practices that an organisation can implement to significantly strengthen the digital supply chain. So, what are these steps?
Minimize access to sensitive data
First, all the sensitive data access points need to be identified. This will help you note all the employees and vendors that are currently accessing your sensitive resources. The higher the number of privileged access roles, the larger the privileged access attack surface, so such accounts need to be kept to a minimum. Vendor access should be especially scrutinized given their risk of being the first targets in a supply chain attack.
- Map out all the vendors currently accessing your sensitive data and their respective access levels.
- Questionnaires will help flesh out how each vendor processes and protects your sensitive data.
- Once all third-party access data is acquired, the culling process can begin. Service providers should only have access to the minimal amount of sensitive data they require to offer their services.
Implement strict shadow IT rules
Shadow IT refers to all IT devices that are not approved by an organization's security team. The recent global adoption of a remote-working model due to COVID-19 has resulted in many employees incorporating their own private IT devices while establishing their home office environments.
IT security departments should enforce the registration of all IT devices alongside strict guidelines about what can and cannot be connected. All permitted devices (especially IoT devices) should be monitored to identify DDoS attacks being launched from the supply chain.
Third-party risk assessments
The sad reality is that many vendors are unlikely to ever take cybersecurity seriously. Therefore, it's up to the organisation to ensure its supply chain is well defended. Third-party risk assessments help disclose each vendor's security posture and any concerning vulnerabilities that need remediating.
Monitoring the development of cybersecurity policies in key markets to identify current and upcoming compliance requirements, best practice guidance, and regulatory barriers will help to identify and prepare for upcoming issues. These would include domestic standards, security policies and certifications and export and import requirements.
Data protection and privacy
Alongside working with data loss prevention and security tools. Seeking guidance on monitoring and driving the outcomes of public policy debates and implementing strategies and policies in key markets form an important strategy for governments and businesses.
Many organizations should look at advocating for cybersecurity standards in regional and international bodies, including the EU, the ITU and the European Telecommunications Standards Institute (ETSI). Setting the right standards that fit the reality of the cybersecurity environment across various products and services is critical.
Alongside promoting the adoption of cybersecurity technologies, policymakers need to play a part in guiding the development of rules for government procurement of these technologies in various markets worldwide, such as the EU, Canada, the US, Japan and India. In this way, governments can lead by example.
No silver bullet
In the wake of these significant incidents, time will tell what further fallout we may be seeing in 2022. The reliance on third parties is not going away anytime soon as businesses outsource expertise to save time and money. As more diverse services come online and businesses expand, the attack surface for any organization will likely grow.
Although there is no silver bullet to help organisations, these organisations can take a multi-layered approach to addressing this issue. Good data hygiene practices, proactive measurements and policy oversight can combat against impacts of damaging supply chain attack.
Christopher Martin, Principal, Policy Transformation, Head of Asia, Access Partnership