Supply Chains are what we can call trusted relationships, it’s a business partner or a supplier that we have agreed to do business with and we integrate them into our everyday business processes. Hackers can take advantage of these trust relationships to introduce malware and other malicious attacks into a company network because oftentimes our supply chain partners aren’t subject to the same scrutiny or skepticism that an outsider would be. A popular example of this was with the solarwinds hack where hackers implanted malware into a software update that was pushed out to hundreds of solarwinds clients that didn’t hesitate to install the compromised update because it came from a trusted source. In this article we discuss how to secure both physical and digital supply chains:
What is a Supply Chain?
A supply chain is a system of organizations, people, activities, information and resources that come together to supply a product or services to a customer. Simply put, a supply chain is everything that is needed to produce a good or service. From a security point of view, compromising any component of the supply chain can negatively impact anyone further down the line of the supply chain. As the company providing the final product or service you need to be mindful to check the security of all of the components of the supply chain in order to achieve a secure state.
How to protect a supply chain?
Map out the entire supply chain:You should have a clear understanding of each step of the supply chain for any of your important products. This way it will be easier to identify weak spots where a hacker may try to introduce malware or security vulnerabilities into your product.
Take a risk-based approach in assessment of third parties: After you map out the supply chain you should look at each of your third parties and evaluate their processes to see what risk there is to your company. An important aspect to this is to do threat modelling, which is where you do research into ways that a hacker may attempt to attack your company so you can be sure to have the proper protections in place.
Use Trusted Third Party Code: Security vulnerabilities are commonly introduced through an applications code, it’s important that you make sure only to use third party code that has been tested and proved to be secure. Avoid using untested and untrusted code when developing applications.
Consider Compliance Regulations: Cybersecurity compliance can be another issue because if a third party contractor that has access to company information doesn’t handle that information correctly, the company who originally collected the data and provided it to them can still be held liable. You need to make sure that everyone involved in the supply chain understands the compliance requirements involved in creating the product. One big example of this was with the colonial pipeline in texas. About 45% of fuel consumed on the east coast arrives via this pipeline system and it carries roughly 2.5 million barrels of gasoline, diesel, heating oil and jet fuel a day. In May it suffered one of the largest ransomware attacks in history that impacted the computerized equipment. While this attack only lasted a week, the CEO Joseph Blount stated that it will likely cost tens of millions of dollars over the next several months to completely fix the damages. Shortly after a new ransomware and digital extortion task force was formed that was able to recover roughly 64 out of the 75 bitcoins that were paid to the attackers.
How to get more free content
If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.