Intelligent CISO Issue 49 - Page 74


David Smith , Senior Security Consultant at Evalian , discusses the key considerations for improving supply chain security and ultimately reducing the risk of a supply chain attack impacting your company .
upply chain attacks

S have become a mainstay in the headlines , with highprofile security incidents like the Kaseya and SolarWinds breaches impacting thousands of organisations worldwide .

A supply chain attack occurs when digital services or technologies of a vendor are compromised , allowing a criminal to move into the networks and systems of customers . Just like physical supply chains , companies rely on various digital partners to provide services and products .
Digital supply chains can be disrupted or compromised in many ways . The most damaging and sophisticated attacks allow an attacker to linger in a network unnoticed , often for a long time . Commonly called ‘ backdoors ’.
In the case of SolarWinds , criminals were able to modify SolarWinds ’ product , Orion , with malicious code that was subsequently distributed via software updates . This code was thought to have been inserted in mid-2019 but was not publicly reported until December 2020 . Orion , ( ironically ) intended to protect an organisation ’ s networks , became a gateway for attackers to access the systems of many large enterprises and key US Government departments .
While such attacks are complex , they ’ re also quite common . The European Union Agency for Cybersecurity suggests 66 % of supply chain attacks target the product code of suppliers . The return on investment for attackers , compromising one organisation then getting access to many others , makes software vendors an enticing target .
Despite this , many organisations fail to prioritise supply chain security . A DCMS 2021 survey found that most UK organisations have not reviewed risks
David Smith , Senior Security Consultant at Evalian posed by their suppliers and broader supply chain .
While you cannot control whether suppliers suffer data breaches , you can reduce the risk of a supply chain attack impacting your company . Here are four ways to improve supply chain security and avoid backdoor attacks .
Understand your supply chain and critical suppliers : A robust security strategy is dependent on visibility . Ensure your company understands who your suppliers are and what data they can access . Then identify which of these provide you with essential services or , if services went down , would cause severe disruption to your own operations : these are your critical suppliers .
Ideally , you ’ ll extend this to your suppliers ’ suppliers . This will give a detailed view of your extended supply chain , enabling better security management .
Manage your risks via a supply chain risk management programme ( SCRMP ): Establish a formal process for procuring and managing digital suppliers . Companies have been assessing and onboarding physical suppliers for years . Many commercial teams already conduct supplier assessments . Is a separate process
74 www . intelligentciso . com