There was a time when all IT security teams had to be concerned about was the resources housed within their on-premises, firewall-protected infrastructures. As long as threats did not breach through the walls, life was easy. Fast forward to 2022, however, and the picture is very different, Steve Singer, regional vice president and ANZ country manager at Zscaler, writes.
Remote workers and cloud-based resources mean that the concept of a secure perimeter is now almost meaningless.
Further challenges are also being caused by a rise in supply chain cyber attacks. There is an urgent requirement for IT security teams to locate infrastructure blind spots and close off supply chain vulnerabilities before these become a major cyber threat to businesses. These threats can potentially result in a loss of revenue, a breakdown in trust in suppliers and a tarnished brand image.
Supply chain attacks involve cyber criminals introducing malicious code into tools or applications that are then sold to third-party users. One high-profile example that comes to mind was the attack against software company SolarWinds. Attackers compromised the company’s system management tools that are used by hundreds of thousands of firms around the world.
This attack, and others like it, highlight the fact that security risks stem not only from an organisation’s own IT systems but also from those used by vendors whose products and services it has enlisted. For instance, earlier this year, when German petrol supply firm Oiltanking was paralysed by a cyber attack, it was unable to operate 13 tank farms serving its truck delivery network.
Why software supply chain attacks are so worrying
The threat posed by supply chain attacks is very concerning because of the concerted actions taken by the cyber criminals behind them. It can be possible for them to reside undetected on enterprise networks for months before launching a large-scale attack that affects thousands of companies.
For this reason, evaluation of any new software applications and tools in IT system’s modernisation programs need to cover not only the business benefits they will deliver, but also the processes the vendor has in place to support a secure software development life cycle (SDLC). The fact remains that any minimum-viable product will only create maximum security exposure down the road.
Risk-management best practices
Effectively managing supply chain cyber security risks is a complex challenge for any organisation. It requires the transformation of company culture towards risk assessment, especially when it comes to the impact of IT security vulnerabilities.
An organisation’s senior management sets the tone for the stance on cyber security and should be actively involved in developing company-wide supply chain risk management policies and processes.
This process needs to include the following steps:
- The framing of risks: IT teams should work to establish the contextual requirements for risk-based decisions. They need to understand the current state of their organisation’s IT systems and address any vulnerabilities associated with supply chains.
- Assessment of risks: the team should then carefully review all identified threats and gain a clear understanding of the possible impact of an attack. The team needs to know the level of vulnerability that exists and the likelihood of an attack.
- Responding to identified risks: this can be achieved by having in place strategic mitigation protocols that are based on the findings of the risk-assessment steps that have already been completed.
- Ongoing risk monitoring: this is an important element so that IT changes and supply chain updates are constantly being monitored for any changes or new possible weaknesses.
By making a commitment to ongoing supply chain security improvement, an organisation can use these guidelines to adapt to emerging threats and better respond to changes as these occur. However, for digital first businesses, it’s important to remember that certain risks are inevitable and that enterprises are best focused on mitigating risk with a company-wide strategy which focuses on ensuring that cyber security practices are top-of-mind among all employees.
A business-wide challenge
To ensure that the steps required for effective supply chain security are taken, it’s important that organisations understand the full business impact that vulnerabilities and attacks can create.
These impacts can be felt across the organisation and have financial, operational, and strategic implications. By taking a planned and systematic approach to the challenge, the likelihood that impacts will be felt can be significantly reduced.
The threats posed by supply chain attacks continue to be significant for organisations throughout the world. However, by recognising the risks and taking the required steps to improve IT security, the chances of an organisation falling victim can be lowered.
Steve Singer is the regional vice president and ANZ country manager at Zscaler.