RunSafe Security exclusive: Cyber security in the supply chain
Stop me if you have heard this before: as companies increasingly rely on third-party software applications, many are losing control over their software supply chain. As globalisation continues to scale and geographic constraints loosen, a strong supply chain is all but necessary to compete in the worldwide marketplace. This in spite of the persistent challenges associated with identifying and understanding the security vulnerabilities inherent to third-party software development and adoption.
As supply chain attacks continue to escalate in frequency and sophistication, a very common misconception has taken hold among product managers - full control over the entire supply chain is the only way to minimise risk. As such, personnel in charge of product are going to extraordinary lengths to try and dictate price and requirements, leaving lucrative opportunities on the table for those that fail to conform.
With the supply chain’s importance increasing in proportion to the threat landscape, organisations and suppliers find themselves at a crossroads – do they acquiesce to the requirements of those seeking full control or do they abstain from the demands and forego the partnership?
The good news is that organisations do not need to have full control of the supply chain to protect it from cyberattack – whether they know it yet or not. By mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation, organisations can close the gap on some vulnerabilities and prevent malware attacks from propagating without the burden and cost of trying to maintain full control.
Supply chain a common window for attacks
Up to 80 percent of security breaches now originate in the supply chain, according to a report by KPMG. In a common software supply chain attack, bad actors typically gain access to a software company’s distribution system and then insert malicious code in the legitimate software. When the customers update their versions, they are infected with the malware.
To reduce risk, most product managers seek a detection and reporting solution so an exploit targeting a specific vulnerability cannot disrupt their entire system. In industries where safety and critical compliance requirements exist (automotive, aviation or healthcare), security is often a function of the level of compliance. But, despite any efforts to comply, attackers can insert malware into a system via suppliers, keeping those within the chain exposed to memory-based attacks that bypass root of trust, encryption, and intrusion detection systems.
The Atlantic Council recently said in a brief that while software security vulnerabilities are a natural result of the development process and cannot be fully eliminated, they are increasingly passing through the supply chain. And in many instances, a single software component can now compromise the operational integrity of many critical systems and devices.
Unfortunately, many companies, especially small and medium-sized suppliers, lack full visibility into their supply chain nor do they have a process for assessing the cybersecurity of third-parties with which they share data or networks. This is a big problem when considering that so many flaws are unintentionally built into software components.
Nonetheless, managing the supply chain is now a critical function of optimising quality, cost and reliability. In fact, many companies use it to create strategic advantages, drive brand differentiation and improve efficiencies. While stronger brands may have more contained influence over their supply chain, companies are seeking to diversify sources so as not to be impacted by a single supplier or the demands of one brand over another.
To fear or not to fear lack of supply chain control – that is the question
For many organisations, just the thought of not having full control over their supply chain produces anxiety. After all, lack of control could mean that suppliers might not be required to meet standards, which could ultimately put organisations at a higher risk for several threats, including loss of intellectual property shared with supply chain partners and third-party access to IT networks, customer information or operational control systems.
Winston Churchill famously said that perfection is the enemy of progress, and his idea is apt for this discussion. The reality is that it’s virtually impossible to eliminate cyber risk throughout a supply chain – whether a company has complete control over it or not. Our increasingly interconnected technology products have a long journey from component manufacture to “shelf.” It’s hard to conceive of a tech product that is produced entirely in one location – as labour costs often dictate that materials circumnavigate the globe more than once. Further, any device that incorporates software, whether open source or custom, is touched by many different hands during the development process. Risk is baked in to the way organisations operate.
The first piece of good news for those weary of anything less than complete supply chain control is that executives in critical infrastructure industries in particular are starting to take a closer look at their supply chains, performing risk assessments, collecting threat analysis, conducting trials, and considering alternative security measures as part of a comprehensive strategy. This is important, as in today’s environment, one must assume that the supply chain has been compromised.
Mark Weatherford, Senior Vice President and Chief Cybersecurity Strategist at vArmour, said in a presentation there are several things companies can do to lessen their risks. Start by identifying and learning more about your vendors. Map out your supply chain and identify your sub-tier suppliers with critical IT components or software embedded in your products and systems. Clearly identify exactly what information or systems your vendors can access, then review their practices and integrate the CISO team in the process.
The next piece of positive news is that there is a new way to apply cybersecurity across the entire supply chain and eliminate the dependence on what each supplier individually is able or willing to do. Since security is increasingly a strategic differentiator, it is now an area for the company to invest in with an approach that works across all systems.
What product managers must understand is that supply chain risk will remain no matter their level of control, and that blind pursuit of full control will only hinder productivity and will eventually impact the bottom line. By staying focused on mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation pre or post production, manufacturing and commerce can move forward without the fear of an imminent supply chain attack.
By Joe Saunders, CEO RunSafe Security RunSafe Security is the pioneer of a patented cyberhardening transformation process designed to disrupt attackers and protect vulnerable embedded systems and devices.
New speakers announced for Procurement & Supply Chain Live
Two leading executives in supply chain transformation have been confirmed for this year's Procurement & Supply Chain Live event.
Procurement & Supply Chain Live is the perfect opportunity to hear from prominent executives at the world’s leading procurement and supply chain businesses. The event will be streamed live from Tobacco Dock, London via the leading networking platform Brella.
The three-day show, running 28-30 September 2021, is an essential deep dive into the industry, with influential speakers sharing insights and strategies from their organisations, group roundtable discussions, and fireside chats.
We take a look at the latest additions to the already amazing lineup of speakers announced so far, and what they will bring to the flagship event.
VP Global Supply Chain at Macmillan Education Ltd
Shaun Plunkett has over 30 years of supply chain leadership experience in FMCG, entertainment and media sectors, supporting multi-billion euro businesses including Universal Music, EMI, Sony Music, Harper Collins and Associated British Foods. He has a track record of successfully delivering transformational change coupled with award winning operating models and developing and coaching global teams. Plunkett says that challenging the status quo is at the heart of what drives him on a daily basis - and encouraging others to continuously push the boundaries.
Read more about Plunkett’s involvement in Macmillan Education’s supply chain transformation HERE
Digital Transformation Lead, Oracle UK and Board Member, CILT at Macmillan Education Ltd
Vikram Singla is digital transformation director at Oracle, UK. He helps supply chain and finance business leaders leverage technology to deliver meaningful business outcomes for their organisations. He also serves on the board if CILT (Chartered Institute of Logistics and Transport) – UK and is an Honorary Visiting Fellow at Anglian Ruskin University. Singla has more than 25 years’ experience in the technology sector, and in global supply chain transformation, including deploying business transformation programmes for Fortune 500 firms. In his spare time, Singla is a passionate brand ambassador for Cancer Research.
Plunkett and Singla join a growing line-up of speakers, including: Sheri R. Hinish, IBM; Robert Copeland, G4S; Daniel Weise, BCG; Mark Bromley, Mastercard; David Loseby, Rolls Royce; and Ninian Wilson, Vodafone Procurement Company.