RunSafe Security exclusive: Cyber security in the supply chain

Cyber security

Technology / Cyber security 203 Views

RunSafe Security exclusive: Cyber security in the supply chain

Cyber security

Technology / Cyber security 203 Views

Stop me if you have heard this before: as companies increasingly rely on third-party software applications, many are losing control over their software supply chain. As globalisation continues to scale and geographic constraints loosen, a strong supply chain is all but necessary to compete in the worldwide marketplace. This in spite of the persistent challenges associated with identifying and understanding the security vulnerabilities inherent to third-party software development and adoption.

As supply chain attacks continue to escalate in frequency and sophistication, a very common misconception has taken hold among product managers - full control over the entire supply chain is the only way to minimise risk. As such, personnel in charge of product are going to extraordinary lengths to try and dictate price and requirements, leaving lucrative opportunities on the table for those that fail to conform.

With the supply chain’s importance increasing in proportion to the threat landscape, organisations and suppliers find themselves at a crossroads – do they acquiesce to the requirements of those seeking full control or do they abstain from the demands and forego the partnership?

The good news is that organisations do not need to have full control of the supply chain to protect it from cyberattack – whether they know it yet or not. By mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation, organisations can close the gap on some vulnerabilities and prevent malware attacks from propagating without the burden and cost of trying to maintain full control.

Supply chain a common window for attacks

Up to 80 percent of security breaches now originate in the supply chain, according to a report by KPMG. In a common software supply chain attack, bad actors typically gain access to a software company’s distribution system and then insert malicious code in the legitimate software. When the customers update their versions, they are infected with the malware.

To reduce risk, most product managers seek a detection and reporting solution so an exploit targeting a specific vulnerability cannot disrupt their entire system. In industries where safety and critical compliance requirements exist (automotive, aviation or healthcare), security is often a function of the level of compliance. But, despite any efforts to comply, attackers can insert malware into a system via suppliers, keeping those within the chain exposed to memory-based attacks that bypass root of trust, encryption, and intrusion detection systems.

The Atlantic Council recently said in a brief that while software security vulnerabilities are a natural result of the development process and cannot be fully eliminated, they are increasingly passing through the supply chain. And in many instances, a single software component can now compromise the operational integrity of many critical systems and devices.

Unfortunately, many companies, especially small and medium-sized suppliers, lack full visibility into their supply chain nor do they have a process for assessing the cybersecurity of third-parties with which they share data or networks. This is a big problem when considering that so many flaws are unintentionally built into software components.

Nonetheless, managing the supply chain is now a critical function of optimising quality, cost and reliability. In fact, many companies use it to create strategic advantages, drive brand differentiation and improve efficiencies. While stronger brands may have more contained influence over their supply chain, companies are seeking to diversify sources so as not to be impacted by a single supplier or the demands of one brand over another.

To fear or not to fear lack of supply chain control – that is the question

For many organisations, just the thought of not having full control over their supply chain produces anxiety. After all, lack of control could mean that suppliers might not be required to meet standards, which could ultimately put organisations at a higher .....

Comments