As manufacturers continue to navigate the global pandemic, keeping their supply chain secure from cyber threats is challenging. With COVID-19 disrupting every aspect of day-to-day life, many organizations have struggled to maintain continuity amid financial instability. Burdened with unanticipated expenses, many third-party vendors had to cut costs to keep their businesses afloat.
It seem tempting to cut corners on security processes and procedures. That would be a mistake. Cyber attackers are using COVID-19’s chaos to exploit security vulnerabilities and gain access to sensitive information. Infiltrating manufacturers’ software supply chains is an efficient way to gain access to a target. In the last twelve months, 80 percent of vendors suffered a third-party-related breach.
Recent events have thrown supply-chain risks into sharp relief. The recent breach of SolarWinds demonstrates that the supply chain is only as strong as its weakest link. State-sponsored attackers embedded malicious code into SolarWinds Orion software, enabling them to access the networks of SolarWinds’ customers that installed the latest update. The attack on SolarWinds is not the first supply chain attack, but it is the largest ever seen at this scale. The campaign counted as victims a dozen federal agencies and departments, security vendors such as FireEye, and even Microsoft itself. Damages will be in the billions.
To avoid becoming a victim of a catastrophic breach, manufacturers must strengthen their security postures and protect against cyber threats. The following five tactics can enhance the security of the supply chain.
- Identify all critical control infrastructure with privileged access. To combat cyber threats, it’s increasingly important to understand which software has deep, system-level access to servers and data, generally because they perform critical control functions. These include software packages such as systems management, log management and security software, especially in operational networks. The more widely deployed the software is, the more interesting it will be to attackers, especially if it requires administrative or “root” access.
- Triage your vendors by risk. As cyber threats persist, manufacturers need to understand which software packages are the riskiest. Conduct supply-chain risk assessments to understand the volume and sensitivity of information that the software touches, processes or can access. Give special attention to cloud vendors, especially if they host sensitive intellectual property or personal information. Create a three-tier (A-B-C) strategy to rank suppliers by risk.
- Conduct formal review processes. Implement formal processes to vet and risk assess all third-party software suppliers. Analyze high-risk vendors' programs and policies to understand their security postures and potential security risks to your organization. Supplement existing staff, if necessary, with consultants to help you screen and rate vendor risks.
- Implement automated cybersecurity solutions for managing third-party risk. Use cloud-based services to systematically and regularly rate the external postures of vendors. These types of solutions help you understand the relative security of the entire supply base, and can create accurate, error-free data sets that reinforce risk management processes.
- Educate the C-Suite. An effective security program starts with buy-in from the executive team and the board. While most understand the importance of cybersecurity, you may be called to broaden awareness and justify why spending money on security processes, staff and products is necessary. Estimate potential losses of a large-scale security breach, such as occurred at the SolarWinds. Use case studies to educate senior leaders about the severe financial and credibility ramifications.
As we enter 2021, uncertainties remain around the global economic and geopolitical climate. But one thing is certain. We must all be alert to threats to the software supply chain. We should anticipate many more threats targeting preferred suppliers. Each of us must act swiftly and decisively to safeguard our organizations’ reputations, fortunes and data.
Andy Jaquith is the Chief Information Security Officer at QOMPLX.