Supply chain remains the weakest link in cybersecurity

By Sean Duca
Supply chains present a weak link for cybersecurity because organisations can’t always control the security measures taken by supply chain partners. S...

Supply chains present a weak link for cybersecurity because organisations can’t always control the security measures taken by supply chain partners.  Sean Duca, Vice President and Chief Security Officer of Palo Alto Networks explores the ways in which cybercriminals can attack an organisation by first infiltrating a supply chain partner.

Supply chains present a weak link for cybersecurity because organisations can’t always control the security measures taken by supply chain partners. This can create opportunities for cybercriminals to attack an organisation by first infiltrating a supply chain partner. Organisations and their partners need to be aware of this risk and act to protect each other, according to Palo Alto Networks.

Supply chain organisations are targeted because they often aren’t as aware of potential threats and may not have adequate resources to manage security to a high level. Bad actors often start small, waiting in systems for years before striking the target organisation where it’s weak.

Software supply chain attacks are pernicious because they violate the basic trust between software provider and consumer. Hackers are dodging traditional cyber defences to compromise software and delivery processes. This lets them disrupt large numbers of systems through a single attack. Companies that use the corrupted software could fall victim to ransomware attacks, lose valuable proprietary information, and be subject to commercial sabotage.

Organisations are increasingly interconnected and, while this provides a variety of business benefits, it also comes with security risks. Cybercriminals are very aware of these connections and are using them to access networks that are otherwise well-protected.

In today’s world of Internet of Things (IoT), digital buyer-seller relationships, and robotic process automation, vulnerabilities to cyber damage are increasing. Businesses may have security tools and protection in place but need to ask whether their suppliers, and their suppliers’ suppliers, and so on down the value chain, have the same kind of protection.

Palo Alto Networks recommends three key ways to secure the supply chain:                                                                                         

1. Review internal and external security procedures: Organisations should not only review their own internal infrastructures, but also vendors’ and partners’. While internal systems might have strong security practices for thwarting a wide range of direct attacks, third-party collaborators might not adhere to the same practices. Consequently, businesses need to thoroughly vet vendors before fully integrating them into internal infrastructures.

2. Establish written security guidelines and controls: Cybercriminals may use a supplier’s website to host malware. Where possible, organisations should require suppliers to adhere to processes and protocols that minimise the likelihood of such attacks. A written agreement should require vendors to provide timely notification of any internal security incidents as well as periodic security reports to regularly ascertain their security status.

3. Training/sharing security best practices with staff and vendors: While technology is essential, human error is still the primary source of data breaches. The recent Cyber Security Intelligence Index report by IBM revealed that 95 per cent of all security incidents involve human error, from following links to phishing scams to visiting bad websites, enabling viruses and falling victim to other advanced persistent threats.

Organisations must train all staff in security best practices. Training helps people to identify potential attacks and should be constantly refreshed so people can act as the first line of defence.

Organisations mustn’t overlook the risks posed by their supply chain when it comes to protecting company and customer information. Cybercriminals will look for every vulnerability to attack an organisation so it’s essential to close every gap, down to the last link in the supply chain."

Share

Featured Articles

Weekly news round-up across supply, logistics & procurement

CIPS chief in supply cash-flow warning; Women do better in large firms - Gartner; Accenture Euro chief's Ukraine advice; Dell supply head's green goals

UST webinar on managing supply risk available on-demand

Global CPO David Loseby and UST's Jonathan Colehower share insight on using technology, both to mitigate supply chain risk and to gain supply visibility

Global land, sea and air logistics news round-up

Global logistics IoT spend ‘will top $32bn by 2032’; UN $10mn grant for explosion-hit Port of Beirut; Costa Rica ransomware attack causes ports chaos

Comfort zones the enemy of sustainability - CIPS economist

Sustainability

Women in supply fare better in large firms - Gartner report

Digital Supply Chain

What can be done to avert food catastrophe foreseen by UN?

Logistics